Detectionhightest

HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators

Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Thu Jun 273ab79e90-9fab-4cdf-a7b2-6522bc742adbwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith:
            - ':\windows\temp\sam.tmp'
            - ':\windows\temp\sec.tmp'
            - ':\windows\temp\sys.tmp'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

attack.t1219.002

Rule Metadata

Rule ID

3ab79e90-9fab-4cdf-a7b2-6522bc742adb

Status

test

Level

high

Type

Detection

Created

Thu Jun 27

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml

Raw Tags

attack.command-and-controlattack.t1219.002

View on GitHub