KrbRelayUp local privilege escalation.
Detecting possible successful exploitation using tools such as KrbRelayUp AD environment
Sigma rule (View on GitHub)
1title: KrbRelayUp local privilege escalation.
2description: Detecting possible successful exploitation using tools such as KrbRelayUp AD environment
3status: experimental
4date: 2022/04/26
5author: \@kostastsale
6references:
7 - https://github.com/Dec0ne/KrbRelayUp
8 - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
9 - https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
10logsource:
11 product: windows
12 service: security
13detection:
14 selection1:
15 EventID: 4624
16 LogonType: '3'
17 AuthenticationPackageName: 'Kerberos'
18 IpAddress: '127.0.0.1'
19 TargetUserSid: 'S-1-5-21-*-500'
20 filter:
21 IpPort: '0'
22 condition: selection1 and not filter
23falsepositives:
24 - Uknown
25level: High
26tags:
27 - attack.privilege_escalation
28 - attack.t1068