KrbRelayUp Service Installation

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Sigma rule (View on GitHub)

 1title: KrbRelayUp Service Installation
 2id: e97d9903-53b2-41fc-8cb9-889ed4093e80
 3status: test
 4description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
 5references:
 6    - https://github.com/Dec0ne/KrbRelayUp
 7author: Sittikorn S, Tim Shelton
 8date: 2022-05-11
 9modified: 2022-10-05
10tags:
11    - attack.privilege-escalation
12    - attack.t1543
13logsource:
14    product: windows
15    service: system
16detection:
17    selection:
18        EventID: 7045
19        ServiceName: 'KrbSCM'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

Related rules

to-top