Merge pull request #3005 from BlackB0lt/patch-27

Create win_security_krbrelayup_service_installation.yml
2022-05-12 13:01:44 +02:00
parent 69b4bd551c fe312319d3
commit ee3aba2541
1 changed files with 22 additions and 0 deletions
@@ -0,0 +1,22 @@
+title: KrbRelayUp Service Installation
+id: e97d9903-53b2-41fc-8cb9-889ed4093e80
+status: experimental
+description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)
+author: Sittikorn S
+date: 2022/05/11
+references:
+  - https://github.com/Dec0ne/KrbRelayUp
+logsource:
+  product: windows
+  category: system
+detection:
+  selection:
+    EventID: '7045'
+    ServiceName: 'KrbSCM'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1543