title: KrbRelay Hack Tool
id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
status: experimental
description: Detects the use of KrbRelay, a Kerberos relaying tool
author: Florian Roth
references:
  - https://github.com/cube0x0/KrbRelay
date: 2022/04/27
logsource:
  category: process_creation
  product: windows
detection:
  selection_name:
    Image|endswith: '\KrbRelay.exe'
  selection_original_name:  # in case the file has been renamed after compilation
    OriginalFileName: 'KrbRelay.exe'
  selection_flags1:
    CommandLine|contains|all:
      - ' -spn '
      - ' -clsid '
      - ' -rbcd '
  selection_flags2:
    CommandLine|contains|all:
      - 'shadowcred'
      - 'clsid'
      - 'spn'
  selection_flags3:
    CommandLine|contains|all:
      - 'spn '
      - 'session '
      - 'clsid '
  condition: 1 of selection*
falsepositives:
  - Unlikely
level: high
tags:
  - attack.credential_access
  - attack.t1558.003