Adversaries may be using the RemoteKrbRelay SMB Relay module to exfiltrate credentials by creating specific files associated with the attack vector. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential Kerberos relay attacks that could lead to credential compromise and lateral movement.
Detection Rule
title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
id: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb
status: test
description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
references:
- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\windows\temp\sam.tmp'
- ':\windows\temp\sec.tmp'
- ':\windows\temp\sys.tmp'
condition: selection
falsepositives:
- Unlikely
level: high
imFileEvent
| where TargetFileName endswith ":\\windows\\temp\\sam.tmp" or TargetFileName endswith ":\\windows\\temp\\sec.tmp" or TargetFileName endswith ":\\windows\\temp\\sys.tmp"Scenario: Scheduled Job for Credential Synchronization
Description: A legitimate scheduled job runs to synchronize credentials between domain controllers using tools like klist or netdom.
Filter/Exclusion: Exclude files created by processes with CommandLine containing klist, netdom, or dsmig (Domain Synchronization Migration Tool).
Scenario: Admin Task for Kerberos Ticket Renewal
Description: An administrator manually renews Kerberos tickets using kinit or klist as part of routine maintenance.
Filter/Exclusion: Exclude files created by processes with CommandLine containing kinit, klist, or ktpass.
Scenario: PowerShell Script for Active Directory Reporting
Description: A PowerShell script runs to generate reports on Active Directory users, which may temporarily create files in the temporary directory.
Filter/Exclusion: Exclude files created by processes with ProcessName powershell.exe and CommandLine containing Get-ADUser or Export-Csv.
Scenario: Backup Job Creating Temporary Files
Description: A backup job creates temporary files during the backup process, which may match the file names used by the detection rule.
Filter/Exclusion: Exclude files created by processes with ProcessName backupexec.exe or vssadmin (Volume Shadow Copy Service).
Scenario: Security Tool for Kerberos Analysis
Description: A security tool like Kerberos Analyzer or Kerberos Viewer is used to analyze Kerberos tickets, creating temporary files during analysis.
Filter/Exclusion: Exclude files created by processes with ProcessName containing kerberos or Kerberos Analyzer in the command line.