← Back to Explore
splunk_escuTTP
Windows KrbRelayUp Service Creation
The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.
MITRE ATT&CK
Detection Query
`wineventlog_system` EventCode=7045 ServiceName IN ("KrbSCM")
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest EventCode ImagePath
ServiceName StartType ServiceType
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_krbrelayup_service_creation_filter`Author
Michael Haag, Splunk
Created
2026-03-10
Data Sources
Windows Event Log System 7045
References
Tags
Local Privilege Escalation With KrbRelayUpCompromised Windows Host
Raw Content
name: Windows KrbRelayUp Service Creation
id: e40ef542-8241-4419-9af4-6324582ea60a
version: 9
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.
data_source:
- Windows Event Log System 7045
search: |-
`wineventlog_system` EventCode=7045 ServiceName IN ("KrbSCM")
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest EventCode ImagePath
ServiceName StartType ServiceType
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_krbrelayup_service_creation_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.
known_false_positives: False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed.
references:
- https://github.com/Dec0ne/KrbRelayUp
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A service was created on $dest$, related to KrbRelayUp.
risk_objects:
- field: dest
type: system
score: 50
threat_objects: []
tags:
analytic_story:
- Local Privilege Escalation With KrbRelayUp
- Compromised Windows Host
asset_type: Endpoint
mitre_attack_id:
- T1543.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/windows-xml.log
source: XmlWinEventLog:System
sourcetype: XmlWinEventLog