Kerberos Relaying (KrbRelayUp) Attack & Detection

แชร์
ฝัง
  • เผยแพร่เมื่อ 25 ม.ค. 2025

ความคิดเห็น • 11

  • @chrisn9638
    @chrisn9638 2 ปีที่แล้ว

    Awesome post! Definitely appreciate the blue team perspective with looking through event viewer.

  • @omaravilez8865
    @omaravilez8865 6 หลายเดือนก่อน

    Thanks!

  • @SzaboB33
    @SzaboB33 2 หลายเดือนก่อน

    What other attacks are possible, if the machine account quota is set too high?

    • @CyberAttackDefense
      @CyberAttackDefense  2 หลายเดือนก่อน

      This is probably one of the only ones that abuses the machine account quota. Many orgs now disable the ability for standard users to join the domain due to Kerberos delegation and relaying. If anyone else knows let me know what attacks can abuse this.

  • @RandomFriend-ai
    @RandomFriend-ai 8 หลายเดือนก่อน

    Just wanted to know do we never see a logon type3 event with source ip being 127.0.0.1 when the process is kerberos?

    • @CyberAttackDefense
      @CyberAttackDefense  8 หลายเดือนก่อน

      It’s super rare to see that. I have only ever seen it with management tools running on box.

    • @Kenshiel
      @Kenshiel 5 หลายเดือนก่อน

      @@CyberAttackDefense Is not that rare, at least I have seen it quite often in some envs, however, what is rare is the account "Administrator", question for you, is it always going to be the account Administrator?

  • @logicfirst7959
    @logicfirst7959 ปีที่แล้ว +2

    Here are two Splunk rules to easily detect this
    sysmon detection:
    index="wineventlog" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" "KrbRelayUp"
    | search EventCode="1"
    | search ((Image="*\\KrbRelayUp.exe" OR OriginalFileName="KrbRelayUp.exe") OR (CommandLine="* relay *" CommandLine="* -Domain *" CommandLine="* -ComputerName *") OR (CommandLine="* krbscm *" CommandLine="* -sc *") OR (CommandLine="* spawn *" CommandLine="* -d *" CommandLine="* -cn *" CommandLine="* -cp *"))
    | stats values(ComputerName) as ComputerName values(OriginalFileName) as OriginalFileName values(CommandLine) as CommandLine values(ParentCommandLine) as ParentCommandLine by _time User
    | search NOT User=System
    | table _time User ComputerName OriginalFileName ParentCommandLine CommandLine | sort - _time
    Wineventlog: security
    index="wineventlog" source="WinEventLog:Security" "KrbRelayUp"
    | search EventCode=4688
    | stats values(ComputerName) as ComputerName values(Account_Name) as Account_Name values(user) as user values(signature) as signature values(Creator_Process_Name) as Parent_Process values(New_Process_Name) as Child_Process values(Process_Command_Line) as ProcessCommand values(src) as src values(dest) as dest count by _time src_user
    | table _time src_user ComputerName Parent_Process Child_Process ProcessCommand | sort - _time