Pass-the-Ticket — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/pass-the-ticket/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 10:00:00 +0000Detects Kirbi File Creationhttps://feed.craftedsignal.io/briefs/2024-01-kirbi-file-creation/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-kirbi-file-creation/Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.The creation of .kirbi files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as .kirbi files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.

Attack Chain

  1. An attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.
  2. The attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.
  3. The tool extracts Kerberos tickets from memory.
  4. The extracted tickets are saved to a .kirbi file on the filesystem. This file is often created in a temporary or easily accessible location.
  5. The attacker may rename or move the .kirbi file to evade detection or prepare it for later use.
  6. The attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).
  7. The attacker gains unauthorized access to sensitive resources or data.

Impact

A successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.

Recommendation

  • Deploy the Sigma rule Kirbi File Creation to your SIEM to detect the creation of .kirbi files.
  • Enable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the Kirbi File Creation rule to function effectively.
  • Investigate any alerts generated by the Kirbi File Creation rule, focusing on the process that created the file, the location of the file, and any follow-on activity.
  • Consider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.
]]>highadvisorycredential-accesskerberospass-the-ticketmimikatzrubeus