HackTool - RemoteKrbRelay Execution

Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.

Sigma rule (View on GitHub)

 1title: HackTool - RemoteKrbRelay Execution
 2id: a7664b14-75fb-4a50-a223-cb9bc0afbacf
 3status: experimental
 4description: |
 5        Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
 6references:
 7    - https://github.com/CICADA8-Research/RemoteKrbRelay
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2024-06-27
10tags:
11    - attack.credential-access
12    - attack.t1558.003
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\RemoteKrbRelay.exe'
19        - OriginalFileName: 'RemoteKrbRelay.exe'
20    selection_cli_required:
21        CommandLine|contains|all:
22            - ' -clsid '
23            - ' -target '
24            - ' -victim '
25    # selection_cli_attacks:
26    #     # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by "selection_cli_required"
27    #     CommandLine|contains:
28    #         - '-adcs ' # relay to HTTP Web Enrollment and get certificate
29    #         - '-laps ' # relay to LDAP and extract LAPS passwords
30    #         - '-ldapwhoami ' # relay to LDAP and get info about relayed user
31    #         - '-shadowcred ' # relay to LDAP and setup Shadow Credentials
32    selection_cli_attack_smb:
33        CommandLine|contains|all:
34            - '-smb ' # relay to SMB
35            - '--smbkeyword '
36        CommandLine|contains:
37            - 'interactive'
38            - 'secrets'
39            - 'service-add'
40    selection_cli_attack_rbcd_main:
41        CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD
42    selection_cli_attack_rbcd_options:
43        CommandLine|contains:
44            - '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
45            - '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
46    selection_cli_attack_changepass:
47        CommandLine|contains: '-chp ' # relay to LDAP and change user password
48        CommandLine|contains|all:
49            - '-chpPass ' # new password
50            - '-chpUser ' # the name of the user whose password you want to change
51    selection_cli_attack_addgrpname:
52        CommandLine|contains|all:
53            - '-addgroupmember ' # relay to LDAP and add user to group
54            - '-group '
55            - '-groupuser '
56    condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb
57falsepositives:
58    - Unlikely
59level: high

References

Related rules

to-top