Techniques
Sample rules
Windows KrbRelayUp Service Creation
- source: splunk
- technicques:
- T1543.003
Description
The following analytic detects the creation of a service with the default name “KrbSCM” associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.
Detection logic
`wineventlog_system` EventCode=7045 ServiceName IN ("KrbSCM")
| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_krbrelayup_service_creation_filter`