IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Keychain Password Retrieval via Command Line Kubernetes Anonymous Request Authorized »

› › ›

Kirbi File Creation

edit

Kirbi File Creation

edit

Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Rule Type: BBR

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
Technique:
- Name: Steal or Forge Kerberos Tickets
- ID: T1558
- Reference URL: https://attack.mitre.org/techniques/T1558/

« Keychain Password Retrieval via Command Line Kubernetes Anonymous Request Authorized »