Detectionmediumtest
Uncommon Outbound Kerberos Connection
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Ilyas Ochkov, oscd.communityCreated Thu Oct 24Updated Fri Mar 15e54979bd-c5f9-4d6c-967b-a04b19ac4c74windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic5 selectors
detection:
selection:
DestinationPort: 88
Initiated: 'true'
filter_main_lsass:
Image: 'C:\Windows\System32\lsass.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tomcat:
Image|endswith: '\tomcat\bin\tomcat8.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Web Browsers and third party application might generate similar activity. An initial baseline is required.
References
MITRE ATT&CK
Rule Metadata
Rule ID
e54979bd-c5f9-4d6c-967b-a04b19ac4c74
Status
test
Level
medium
Type
Detection
Created
Thu Oct 24
Modified
Fri Mar 15
Author
Path
rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml
Raw Tags
attack.defense-evasionattack.credential-accessattack.t1558attack.lateral-movementattack.t1550.003