Name:Windows KrbRelayUp Service Creation id:e40ef542-8241-4419-9af4-6324582ea60a version:5 date:2024-11-28 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data. Data_source:
-Windows Event Log System 7045
search:`wineventlog_system` EventCode=7045 ServiceName IN ("KrbSCM") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required. known_false_positives:False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed. References: -https://github.com/Dec0ne/KrbRelayUp drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Local Privilege Escalation With KrbRelayUp' - 'Compromised Windows Host' asset_type:Endpoint confidence:80 impact:80 message:A service was created on $dest$, related to KrbRelayUp. mitre_attack_id: - 'T1543.003' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'Service_File_Name' - 'Service_Name' - 'Service_Start_Type' - 'Service_Type' risk_score:64 security_domain:endpoint
