Skip to content
Threat Feed
high advisory

Detects Kirbi File Creation

Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.

The creation of .kirbi files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as .kirbi files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.

Attack Chain

  1. An attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.
  2. The attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.
  3. The tool extracts Kerberos tickets from memory.
  4. The extracted tickets are saved to a .kirbi file on the filesystem. This file is often created in a temporary or easily accessible location.
  5. The attacker may rename or move the .kirbi file to evade detection or prepare it for later use.
  6. The attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).
  7. The attacker gains unauthorized access to sensitive resources or data.

Impact

A successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.

Recommendation

  • Deploy the Sigma rule Kirbi File Creation to your SIEM to detect the creation of .kirbi files.
  • Enable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the Kirbi File Creation rule to function effectively.
  • Investigate any alerts generated by the Kirbi File Creation rule, focusing on the process that created the file, the location of the file, and any follow-on activity.
  • Consider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.

Detection coverage 2

Kirbi File Creation

high

Detects the creation of .kirbi files, which are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks.

sigma tactics: credential_access techniques: T1558 sources: file_event, windows

Kirbi File Creation by Suspicious Process

critical

Detects the creation of .kirbi files by processes commonly associated with credential dumping.

sigma tactics: credential_access techniques: T1558 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →