KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Sigma rule (View on GitHub)
1title: KrbRelayUp Service Installation
2id: e97d9903-53b2-41fc-8cb9-889ed4093e80
3status: test
4description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
5references:
6 - https://github.com/Dec0ne/KrbRelayUp
7author: Sittikorn S, Tim Shelton
8date: 2022-05-11
9modified: 2022-10-05
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1543
14logsource:
15 product: windows
16 service: system
17detection:
18 selection:
19 EventID: 7045
20 ServiceName: 'KrbSCM'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). - Dec0ne/KrbRelayUp
Read More
Related rules
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- PUA - Process Hacker Driver Load
- PUA - System Informer Driver Load
- Service Installed By Unusual Client - Security