KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Sigma rule (View on GitHub)
1title: KrbRelayUp Service Installation
2id: e97d9903-53b2-41fc-8cb9-889ed4093e80
3status: test
4description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
5references:
6 - https://github.com/Dec0ne/KrbRelayUp
7author: Sittikorn S, Tim Shelton
8date: 2022-05-11
9modified: 2022-10-05
10tags:
11 - attack.privilege-escalation
12 - attack.t1543
13logsource:
14 product: windows
15 service: system
16detection:
17 selection:
18 EventID: 7045
19 ServiceName: 'KrbSCM'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- PUA - Process Hacker Driver Load
- PUA - Process Hacker Execution
- PUA - System Informer Driver Load