KrbRelayUp local privilege escalation.
Detecting possible successful exploitation using tools such as KrbRelayUp AD environment
Sigma rule (View on GitHub)
1title: KrbRelayUp local privilege escalation.
2id: 3f3e85e9-2fec-4c2f-89cd-6762b5928570
3description: Detecting possible successful exploitation using tools such as KrbRelayUp AD environment
4status: experimental
5date: 2022/04/26
6author: \@kostastsale
7references:
8 - https://github.com/Dec0ne/KrbRelayUp
9 - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
10 - https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
11logsource:
12 product: windows
13 service: security
14detection:
15 selection1:
16 EventID: 4624
17 LogonType: '3'
18 AuthenticationPackageName: 'Kerberos'
19 IpAddress: '127.0.0.1'
20 TargetUserSid: 'S-1-5-21-*-500'
21 filter:
22 IpPort: '0'
23 condition: selection1 and not filter
24falsepositives:
25 - Uknown
26level: High
27tags:
28 - attack.privilege_escalation
29 - attack.t1068
References
-
KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). - Dec0ne/KrbRelayUp
Read More -
Posted by James Forshaw, Project Zero This blog post is a summary of some research I've been doing into relaying Kerberos authentica...
Read More -
Related rules
- SamAccountName Spoofing and Domain Controller Impersonation
- CVE-2021-3156 Exploitation Attempt
- CVE-2021-3156 Exploitation Attempt Bruteforcing
- OMIGOD SCX RunAsProvider ExecuteScript
- Windows Kernel and 3rd-Party Drivers Exploits Token Stealing