security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules_building_block/credential_access_kirbi_file.toml
T
Jonhnathan f584fb6e31 [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165) 
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules

* Fix dates

* Fix unit test errors

* updated tags and fixed branch conflicts

updated tags and fixed branch conflicts

* description nit

* Reverting unintended changes

* Update initial_access_suspicious_ms_office_child_process.toml

---------

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
2023-10-15 18:12:20 -03:00

54 lines
1.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/09"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
attacker to impersonate users using Kerberos tickets.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Kirbi File Creation"
risk_score = 21
rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique]]
id = "T1558"
name = "Steal or Forge Kerberos Tickets"
reference = "https://attack.mitre.org/techniques/T1558/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink