Kerberos .kirbi Ticket Files

Kerberos ticket files (.kirbi) are of interest to adversaries as they can contain sensitive data such as NTLM hashes that can be cracked offline. To perform these attacks, a unique file extension variable is defined within Mimikatz that designates the default extension as .kirbi. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Kerberos .kirbi Ticket Files
 2id: 8132d811-8314-40bc-9bb0-4bcdc33605e9
 3status: experimental
 4description: |
 5    Kerberos ticket files (.kirbi) are of interest to adversaries as they can 
 6    contain sensitive data such as NTLM hashes that can be cracked offline. To 
 7    perform these attacks, a unique file extension variable is defined within 
 8    Mimikatz that designates the default extension as .kirbi. Part of the 
 9    RedCanary 2024 Threat Detection Report.    
10references:
11    - https://redcanary.com/threat-detection-report/threats/impacket/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15    - attack.s0002
16    - attack.credential_access
17    - attack.t1558
18    - attack.t1558.003
19logsource:
20    category: file_event
21    product: windows
22detection:
23    selection:
24        TargetFilename|endswith: '.kirbi'
25    condition: selection
26falsepositives:
27    - Unknown
28level: low```

References

Related rules

to-top