HackTool - KrbRelay Execution

Detects the use of KrbRelay, a Kerberos relaying tool

Sigma rule (View on GitHub)

 1title: HackTool - KrbRelay Execution
 2id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
 3status: test
 4description: Detects the use of KrbRelay, a Kerberos relaying tool
 5references:
 6    - https://github.com/cube0x0/KrbRelay
 7author: Florian Roth (Nextron Systems)
 8date: 2022-04-27
 9modified: 2023-02-04
10tags:
11    - attack.credential-access
12    - attack.t1558.003
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\KrbRelay.exe'
19        - OriginalFileName: 'KrbRelay.exe' # In case the file has been renamed after compilation
20    selection_cli_1:
21        CommandLine|contains|all:
22            - ' -spn '
23            - ' -clsid '
24            - ' -rbcd '
25    selection_cli_2:
26        CommandLine|contains|all:
27            - 'shadowcred'
28            - 'clsid'
29            - 'spn'
30    selection_cli_3:
31        CommandLine|contains|all:
32            - 'spn '
33            - 'session '
34            - 'clsid '
35    condition: 1 of selection_*
36falsepositives:
37    - Unlikely
38level: high

References

Related rules

to-top