HackTool - KrbRelay Execution
Detects the use of KrbRelay, a Kerberos relaying tool
Sigma rule (View on GitHub)
1title: HackTool - KrbRelay Execution
2id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
3status: test
4description: Detects the use of KrbRelay, a Kerberos relaying tool
5references:
6 - https://github.com/cube0x0/KrbRelay
7author: Florian Roth (Nextron Systems)
8date: 2022/04/27
9modified: 2023/02/04
10tags:
11 - attack.credential_access
12 - attack.t1558.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\KrbRelay.exe'
19 - OriginalFileName: 'KrbRelay.exe' # In case the file has been renamed after compilation
20 selection_cli_1:
21 CommandLine|contains|all:
22 - ' -spn '
23 - ' -clsid '
24 - ' -rbcd '
25 selection_cli_2:
26 CommandLine|contains|all:
27 - 'shadowcred'
28 - 'clsid'
29 - 'spn'
30 selection_cli_3:
31 CommandLine|contains|all:
32 - 'spn '
33 - 'session '
34 - 'clsid '
35 condition: 1 of selection_*
36falsepositives:
37 - Unlikely
38level: high
References
-
Framework for Kerberos relaying . Contribute to cube0x0/KrbRelay development by creating an account on GitHub.
Read More
Related rules
- HackTool - KrbRelayUp Execution
- Potential SPN Enumeration Via Setspn.EXE
- HackTool - Rubeus Execution
- Suspicious Kerberos RC4 Ticket Encryption
- Potential CVE-2021-42278 Exploitation Attempt