HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
Sigma rule (View on GitHub)
1title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
2id: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb
3status: experimental
4description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
5references:
6 - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2024-06-27
9tags:
10 - attack.command-and-control
11 - attack.t1219
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 TargetFilename|endswith:
18 - ':\windows\temp\sam.tmp'
19 - ':\windows\temp\sec.tmp'
20 - ':\windows\temp\sys.tmp'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
Remote Kerberos Relay made easy! Advanced Kerberos Relay Framework - CICADA8-Research/RemoteKrbRelay
Read More
Related rules
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts
- Hijack Legit RDP Session to Move Laterally