Techniques
Sample rules
Windows KrbRelayUp Service Creation
- source: splunk
- technicques:
- T1543.003
Description
The following analytic identifies the default service name created by KrbRelayUp. Defenders should be aware that attackers could change the hardcoded service name of the KrbRelayUp tool and bypass this detection.
Detection logic
`wineventlog_system` EventCode=7045 ServiceName IN ("KrbSCM")
| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_krbrelayup_service_creation_filter`