sigmaDRL-1.1from SigmaHQ/sigma
Uncommon Outbound Kerberos Connection
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Quality
66
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml
title: Uncommon Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
related:
- id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
type: similar
status: test
description: |
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019-10-24
modified: 2024-03-15
tags:
- attack.defense-evasion
- attack.credential-access
- attack.t1558
- attack.lateral-movement
- attack.t1550.003
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 88
Initiated: 'true'
filter_main_lsass:
Image: 'C:\Windows\System32\lsass.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tomcat:
Image|endswith: '\tomcat\bin\tomcat8.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium