Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

HackTool - RemoteKrbRelay Execution

Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Jun 27a7664b14-75fb-4a50-a223-cb9bc0afbacfwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic7 selectors
detection:
    selection_img:
        - Image|endswith: '\RemoteKrbRelay.exe'
        - OriginalFileName: 'RemoteKrbRelay.exe'
    selection_cli_required:
        CommandLine|contains|all:
            - ' -clsid '
            - ' -target '
            - ' -victim '
    # selection_cli_attacks:
    #     # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by "selection_cli_required"
    #     CommandLine|contains:
    #         - '-adcs ' # relay to HTTP Web Enrollment and get certificate
    #         - '-laps ' # relay to LDAP and extract LAPS passwords
    #         - '-ldapwhoami ' # relay to LDAP and get info about relayed user
    #         - '-shadowcred ' # relay to LDAP and setup Shadow Credentials
    selection_cli_attack_smb:
        CommandLine|contains|all:
            - '-smb ' # relay to SMB
            - '--smbkeyword '
        CommandLine|contains:
            - 'interactive'
            - 'secrets'
            - 'service-add'
    selection_cli_attack_rbcd_main:
        CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD
    selection_cli_attack_rbcd_options:
        CommandLine|contains:
            - '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
            - '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
    selection_cli_attack_changepass:
        CommandLine|contains: '-chp ' # relay to LDAP and change user password
        CommandLine|contains|all:
            - '-chpPass ' # new password
            - '-chpUser ' # the name of the user whose password you want to change
    selection_cli_attack_addgrpname:
        CommandLine|contains|all:
            - '-addgroupmember ' # relay to LDAP and add user to group
            - '-group '
            - '-groupuser '
    condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
a7664b14-75fb-4a50-a223-cb9bc0afbacf
Status
test
Level
high
Type
Detection
Created
Thu Jun 27
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml
Raw Tags
attack.credential-accessattack.t1558.003
View on GitHub