KrbRelayUp Service Installation (e97d9903-53b2-41fc-8cb9-889ed4093e80)
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) | Attack Pattern | KrbRelayUp Service Installation (e97d9903-53b2-41fc-8cb9-889ed4093e80) | Sigma-Rules | 1 |