From df8c6c118f3fdc7a553ef94d0489fa72c2fae90d Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Wed, 11 May 2022 18:59:14 +0700
Subject: [PATCH 1/3] Create win_security_krbrelayup_service_installation.yml

Detects service creation from KrbRelayUp tool
---
 ...curity_krbrelayup_service_installation.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml

diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
new file mode 100644
index 000000000..c8d499353
--- /dev/null
+++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
@@ -0,0 +1,22 @@
+title: KrbRelayUp Service Installation
+id: e97d9903-53b2-41fc-8cb9-889ed4093e80
+status: experimental
+description: Detects service creation from KrbRelayUp tool.
+author: Sittikorn S
+date: 2022/05/11
+references:
+  - https://github.com/Dec0ne/KrbRelayUp
+logsource:
+  product: windows
+  category: system
+detection:
+  selection:
+    EventID: '7045'
+	ServiceName: 'KrbSCM'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1543

From 800669d90cf0a5406d8c0df27acbc88363624360 Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Wed, 11 May 2022 18:59:37 +0700
Subject: [PATCH 2/3] Update win_security_krbrelayup_service_installation.yml

---
 .../system/win_security_krbrelayup_service_installation.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
index c8d499353..aa73179e9 100644
--- a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
+++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
   selection:
     EventID: '7045'
-	ServiceName: 'KrbSCM'
+    ServiceName: 'KrbSCM'
   condition: selection
 falsepositives:
   - Unknown

From fe312319d3f4d794aa93178fe1962e8fab8deed0 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 12 May 2022 13:01:24 +0200
Subject: [PATCH 3/3] Update win_security_krbrelayup_service_installation.yml

---
 .../system/win_security_krbrelayup_service_installation.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
index aa73179e9..3ab241a79 100644
--- a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
+++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml
@@ -1,7 +1,7 @@
 title: KrbRelayUp Service Installation
 id: e97d9903-53b2-41fc-8cb9-889ed4093e80
 status: experimental
-description: Detects service creation from KrbRelayUp tool.
+description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)
 author: Sittikorn S
 date: 2022/05/11
 references: