Detectionmediumtest
Uncommon Outbound Kerberos Connection - Security
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Ilyas Ochkov, oscd.communityCreated Thu Oct 24Updated Fri Mar 15eca91c7c-9214-47b9-b4c5-cb1d7e4f2350windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic5 selectors
detection:
selection:
EventID: 5156
DestPort: 88
filter_main_lsass:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith: '\Windows\System32\lsass.exe'
filter_optional_chrome:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith:
- '\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- '\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith:
- '\Program Files (x86)\Mozilla Firefox\firefox.exe'
- '\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tomcat:
Application|endswith: '\tomcat\bin\tomcat8.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Web Browsers and third party application might generate similar activity. An initial baseline is required.
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
Status
test
Level
medium
Type
Detection
Created
Thu Oct 24
Modified
Fri Mar 15
Author
Path
rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml
Raw Tags
attack.lateral-movementattack.credential-accessattack.t1558.003