Kerberos .kirbi Ticket Files
Kerberos ticket files (.kirbi) are of interest to adversaries as they can contain sensitive data such as NTLM hashes that can be cracked offline. To perform these attacks, a unique file extension variable is defined within Mimikatz that designates the default extension as .kirbi. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Kerberos .kirbi Ticket Files
2id: 8132d811-8314-40bc-9bb0-4bcdc33605e9
3status: experimental
4description: |
5 Kerberos ticket files (.kirbi) are of interest to adversaries as they can
6 contain sensitive data such as NTLM hashes that can be cracked offline. To
7 perform these attacks, a unique file extension variable is defined within
8 Mimikatz that designates the default extension as .kirbi. Part of the
9 RedCanary 2024 Threat Detection Report.
10references:
11 - https://redcanary.com/threat-detection-report/threats/impacket/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15 - attack.s0002
16 - attack.credential_access
17 - attack.t1558
18 - attack.t1558.003
19logsource:
20 category: file_event
21 product: windows
22detection:
23 selection:
24 TargetFilename|endswith: '.kirbi'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low```
References
-
Though Impacket is used legitimately for testing, it is often abused by ransomware operators and other adversaries.
Read More
Related rules
- Possible Impacket GetUserSPNs Activity
- Mimikatz Module Names
- Uncommon Outbound Kerberos Connection
- No Suitable Encryption Key Found For Generating Kerberos Ticket
- Potential Credential Dumping Activity Via LSASS