← Back to Explore
sigmahighHunting
HackTool - KrbRelay Execution
Detects the use of KrbRelay, a Kerberos relaying tool
Detection Query
selection_img:
- Image|endswith: \KrbRelay.exe
- OriginalFileName: KrbRelay.exe
selection_cli_1:
CommandLine|contains|all:
- " -spn "
- " -clsid "
- " -rbcd "
selection_cli_2:
CommandLine|contains|all:
- shadowcred
- clsid
- spn
selection_cli_3:
CommandLine|contains|all:
- "spn "
- "session "
- "clsid "
condition: 1 of selection_*
Author
Florian Roth (Nextron Systems)
Created
2022-04-27
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.credential-accessattack.t1558.003
Raw Content
title: HackTool - KrbRelay Execution
id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
status: test
description: Detects the use of KrbRelay, a Kerberos relaying tool
references:
- https://github.com/cube0x0/KrbRelay
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\KrbRelay.exe'
- OriginalFileName: 'KrbRelay.exe' # In case the file has been renamed after compilation
selection_cli_1:
CommandLine|contains|all:
- ' -spn '
- ' -clsid '
- ' -rbcd '
selection_cli_2:
CommandLine|contains|all:
- 'shadowcred'
- 'clsid'
- 'spn'
selection_cli_3:
CommandLine|contains|all:
- 'spn '
- 'session '
- 'clsid '
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high