{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pass-the-ticket/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","pass-the-ticket","mimikatz","rubeus"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThe creation of \u003ccode\u003e.kirbi\u003c/code\u003e files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as \u003ccode\u003e.kirbi\u003c/code\u003e files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.\u003c/li\u003e\n\u003cli\u003eThe tool extracts Kerberos tickets from memory.\u003c/li\u003e\n\u003cli\u003eThe extracted tickets are saved to a \u003ccode\u003e.kirbi\u003c/code\u003e file on the filesystem. This file is often created in a temporary or easily accessible location.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or move the \u003ccode\u003e.kirbi\u003c/code\u003e file to evade detection or prepare it for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKirbi File Creation\u003c/code\u003e to your SIEM to detect the creation of \u003ccode\u003e.kirbi\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule, focusing on the process that created the file, the location of the file, and any follow-on activity.\u003c/li\u003e\n\u003cli\u003eConsider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-kirbi-file-creation/","summary":"Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.","title":"Detects Kirbi File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-kirbi-file-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Pass-the-Ticket","version":"https://jsonfeed.org/version/1.1"}