security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dbfdb7f804ca01a4bc6f4e4318a2fda4fe37f134
sigma-rules/rules/windows/credential_access_kirbi_file.toml
T
Jonhnathan 0ab70f13a4 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d023ad66b1)
2024-05-20 12:59:37 +00:00

52 lines
1.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "SentinelOne integration package minimum version for validation."
min_stack_version = "8.11.0"
updated_date = "2024/05/16"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
attacker to impersonate users using Kerberos tickets.
"""
from = "now-9m"
index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Kirbi File Creation"
risk_score = 47
rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique]]
id = "T1558"
name = "Steal or Forge Kerberos Tickets"
reference = "https://attack.mitre.org/techniques/T1558/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink