KrbRelayUp Attack Pattern

calendarMay 2, 2023 · attack.privilege_escalation attack.credential_access  ·
Share on: linkedincopy

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Sigma rule (View on GitHub)

 1title: KrbRelayUp Attack Pattern
 2id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
 3status: experimental
 4description: Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like
 5references:
 6    - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
 7    - https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
 8author: '@SBousseaden, Florian Roth'
 9date: 2022/04/27
10tags:
11    - attack.privilege_escalation
12    - attack.credential_access
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID: 4624
19        LogonType: 3
20        AuthenticationPackageName: 'Kerberos'
21        IpAddress: '127.0.0.1'
22        TargetUserSid|startswith: 'S-1-5-21-'
23        TargetUserSid|endswith: '-500'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

Related rules

to-top