credential_access_kirbi_file.toml

[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/31"

[rule]
author = ["Elastic"]
description = """
Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
attacker to impersonate users using Kerberos tickets.
"""
from = "now-9m"
index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*", "endgame-*", "logs-crowdstrike.fdr*"]
language = "eql"
license = "Elastic License v2"
name = "Kirbi File Creation"
risk_score = 73
rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
severity = "high"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Crowdstrike"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"

[[rule.threat.technique]]
id = "T1558"
name = "Steal or Forge Kerberos Tickets"
reference = "https://attack.mitre.org/techniques/T1558/"



[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"