heroui logo

KrbRelayUp Service Installation

Sigma Rules

View Source
Summary
The 'KrbRelayUp Service Installation' detection rule is designed to monitor Windows environments for the creation of services associated with the KrbRelayUp tool, which is commonly utilized for privilege escalation in poorly secured Active Directory environments, specifically those lacking enforced LDAP signing. The detection is configured to trigger on Windows Event ID 7045, which logs service installations in the system log. This particular detection focuses on identifying the specific service named 'KrbSCM', which is indicative of malicious activities stemming from the misuse of the KrbRelayUp tool. Given the necessity for a secure configuration in networked environments, particularly against relay attacks, this rule serves as a critical component for enhancing security posture by detecting unauthorized privilege escalation attempts.
Categories
  • Windows
  • Network
  • Identity Management
Data Sources
  • Windows Registry
  • Service
Created: 2022-05-11