Detectionhightest

KrbRelayUp Service Installation

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sittikorn S, Tim SheltonCreated Wed May 11Updated Wed Oct 05e97d9903-53b2-41fc-8cb9-889ed4093e80windows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        EventID: 7045
        ServiceName: 'KrbSCM'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1543 · Create or Modify System Process

Rule Metadata

Rule ID

e97d9903-53b2-41fc-8cb9-889ed4093e80

Status

test

Level

high

Type

Detection

Created

Wed May 11

Modified

Wed Oct 05

Author

Sittikorn S, Tim Shelton

Path

rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1543

View on GitHub