detection-rules
Rules for Elastic Security's detection engine (by elastic)
KrbRelayUp
KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). (by Dec0ne)
detection-rules | KrbRelayUp | |
---|---|---|
7 | 4 | |
1,775 | 1,456 | |
0.8% | 2.1% | |
9.7 | 0.0 | |
6 days ago | almost 2 years ago | |
Python | C# | |
GNU General Public License v3.0 or later | - |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
detection-rules
Posts with mentions or reviews of detection-rules.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-04-27.
- KrbRelayUp detection [Sigma] - Service Creation via Local Kerberos Authentication
-
Hunt and Detect KrbRelayUp
Elastic rule: https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberoasting_unusual_process.toml
-
Windows Security Logs
With regards to alerts, Elastic Security includes a ton of Windows focused detection rules, along with the ability to create custom rules for Windows Events (or any other source).
-
SIEM Test Cases
SIGMA SOCPrime Sigma Sigma Translator Elastic Rules Splunk Rules ThreatHunter Playbook iRedTeam Lolbas Atomic Red Team
- Identifies suspicious renamed COMSVCS.DLL Image Load, this DLL exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.
-
I have an interview coming up this week for a IR/CSIRT role. Any tips on what to go over?
Go look at the new [Elastic Detection rules](https://github.com/elastic/detection-rules), find ways to talk about them. May favorite recent one is https://github.com/elastic/detection-rules/issues/1535
- Tool per riconoscimento di attacchi tramite log di server web
KrbRelayUp
Posts with mentions or reviews of KrbRelayUp.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-04-27.
-
LDAP over TLS vs LDAP signing vs channel binding
So we're looking at forcing LDAP singing and binding requirements in the wake of KrbRelayUp being released: https://github.com/Dec0ne/KrbRelayUp. Will enacting the following GPO's absolutely destroy downstream clients that have simple LDAP binds over 389 (ex: SonicWall SSL VPN)
-
Hunt and Detect KrbRelayUp
KrbRelayUp is a LPE with "no fix": https://github.com/Dec0ne/KrbRelayUp
- KrbRelayUp - local privilege escalation in Windows domain environments where LDAP signing is not enforced
- KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings).
What are some alternatives?
When comparing detection-rules and KrbRelayUp you can also consider the following projects:
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
sigma - Main Sigma Rule Repository
security_content - Splunk Security Content