SigmaHQ/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml

title: Suspicious Outbound Kerberos Connection
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
    - https://github.com/GhostPack/Rubeus8
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2019/11/13
tags:
    - attack.lateral_movement
    - attack.t1208
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
        DestinationPort: 88
    filter:
        Image|endswith:
            - '\lsass.exe'
            - '\opera.exe'
            - '\chrome.exe'
            - '\firefox.exe'
    condition: selection and not filter
falsepositives:
    - Other browsers
level: high
Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test. 2020-02-20 22:00:16 +00:00			`title: Suspicious Outbound Kerberos Connection`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350`
ilyas ochkov contribution 2019-10-29 00:44:22 +00:00			`status: experimental`
			`description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.`
			`references:`
			`- https://github.com/GhostPack/Rubeus8`
			`author: Ilyas Ochkov, oscd.community`
spaces fix 2019-10-29 00:59:07 +00:00			`date: 2019/10/24`
Update win_suspicious_outbound_kerberos_connection.yml 2019-11-13 20:37:25 +00:00			`modified: 2019/11/13`
ilyas ochkov contribution 2019-10-29 00:44:22 +00:00			`tags:`
			`- attack.lateral_movement`
			`- attack.t1208`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1558.003`
ilyas ochkov contribution 2019-10-29 00:44:22 +00:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 5156`
			`DestinationPort: 88`
			`filter:`
Update win_suspicious_outbound_kerberos_connection.yml 2019-11-13 20:37:25 +00:00			`Image\|endswith:`
			`- '\lsass.exe'`
			`- '\opera.exe'`
			`- '\chrome.exe'`
			`- '\firefox.exe'`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`condition: selection and not filter`
ilyas ochkov contribution 2019-10-29 00:44:22 +00:00			`falsepositives:`
			`- Other browsers`
Update win_suspicious_outbound_kerberos_connection.yml 2019-11-13 20:37:25 +00:00			`level: high`