← Back to Explore
sigmahighHunting
HackTool - RemoteKrbRelay Execution
Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
Detection Query
selection_img:
- Image|endswith: \RemoteKrbRelay.exe
- OriginalFileName: RemoteKrbRelay.exe
selection_cli_required:
CommandLine|contains|all:
- " -clsid "
- " -target "
- " -victim "
selection_cli_attack_smb:
CommandLine|contains|all:
- "-smb "
- "--smbkeyword "
CommandLine|contains:
- interactive
- secrets
- service-add
selection_cli_attack_rbcd_main:
CommandLine|contains: "-rbcd "
selection_cli_attack_rbcd_options:
CommandLine|contains:
- "-cn "
- "--computername "
selection_cli_attack_changepass:
CommandLine|contains: "-chp "
CommandLine|contains|all:
- "-chpPass "
- "-chpUser "
selection_cli_attack_addgrpname:
CommandLine|contains|all:
- "-addgroupmember "
- "-group "
- "-groupuser "
condition: selection_img or selection_cli_required or all of
selection_cli_attack_rbcd_* or selection_cli_attack_changepass or
selection_cli_attack_addgrpname or selection_cli_attack_smb
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2024-06-27
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.credential-accessattack.t1558.003
Raw Content
title: HackTool - RemoteKrbRelay Execution
id: a7664b14-75fb-4a50-a223-cb9bc0afbacf
status: test
description: |
Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
references:
- https://github.com/CICADA8-Research/RemoteKrbRelay
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-27
tags:
- attack.credential-access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\RemoteKrbRelay.exe'
- OriginalFileName: 'RemoteKrbRelay.exe'
selection_cli_required:
CommandLine|contains|all:
- ' -clsid '
- ' -target '
- ' -victim '
# selection_cli_attacks:
# # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by "selection_cli_required"
# CommandLine|contains:
# - '-adcs ' # relay to HTTP Web Enrollment and get certificate
# - '-laps ' # relay to LDAP and extract LAPS passwords
# - '-ldapwhoami ' # relay to LDAP and get info about relayed user
# - '-shadowcred ' # relay to LDAP and setup Shadow Credentials
selection_cli_attack_smb:
CommandLine|contains|all:
- '-smb ' # relay to SMB
- '--smbkeyword '
CommandLine|contains:
- 'interactive'
- 'secrets'
- 'service-add'
selection_cli_attack_rbcd_main:
CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD
selection_cli_attack_rbcd_options:
CommandLine|contains:
- '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
- '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
selection_cli_attack_changepass:
CommandLine|contains: '-chp ' # relay to LDAP and change user password
CommandLine|contains|all:
- '-chpPass ' # new password
- '-chpUser ' # the name of the user whose password you want to change
selection_cli_attack_addgrpname:
CommandLine|contains|all:
- '-addgroupmember ' # relay to LDAP and add user to group
- '-group '
- '-groupuser '
condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb
falsepositives:
- Unlikely
level: high