/
windows_krbrelayup_service_creation.yml
55 lines (55 loc) · 1.9 KB
/
windows_krbrelayup_service_creation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Windows KrbRelayUp Service Creation
id: e40ef542-8241-4419-9af4-6324582ea60a
version: 2
date: '2024-04-26'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic identifies the default service name created by
KrbRelayUp. Defenders should be aware that attackers could change the hardcoded
service name of the KrbRelayUp tool and bypass this detection.
data_source:
- Windows Event Log System 7045
search: '`wineventlog_system` EventCode=7045 ServiceName IN ("KrbSCM") | stats count
min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName
StartType ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_krbrelayup_service_creation_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.
known_false_positives: False positives should be limited as this is specific to KrbRelayUp
based attack. Filter as needed.
references:
- https://github.com/Dec0ne/KrbRelayUp
tags:
analytic_story:
- Local Privilege Escalation With KrbRelayUp
asset_type: Endpoint
confidence: 80
impact: 80
message: A service was created on $dest$, related to KrbRelayUp.
mitre_attack_id:
- T1543.003
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Service_File_Name
- Service_Name
- Service_Start_Type
- Service_Type
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/windows-xml.log
source: XmlWinEventLog:System
sourcetype: XmlWinEventLog