2020-02-20 22:00:16 +00:00
title : Suspicious Outbound Kerberos Connection
2019-12-19 22:56:36 +00:00
id : eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
2019-10-29 00:44:22 +00:00
status : experimental
description : Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references :
2020-11-20 01:48:20 +00:00
- https://github.com/GhostPack/Rubeus
2019-10-29 00:44:22 +00:00
author : Ilyas Ochkov, oscd.community
2019-10-29 00:59:07 +00:00
date : 2019 /10/24
2019-11-13 20:37:25 +00:00
modified : 2019 /11/13
2019-10-29 00:44:22 +00:00
tags :
- attack.lateral_movement
2020-08-24 23:09:17 +00:00
- attack.t1208 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1558.003
2019-10-29 00:44:22 +00:00
logsource :
product : windows
service : security
detection :
selection :
EventID : 5156
DestinationPort : 88
filter :
2019-11-13 20:37:25 +00:00
Image|endswith :
- '\lsass.exe'
- '\opera.exe'
- '\chrome.exe'
- '\firefox.exe'
2020-06-16 20:46:08 +00:00
condition : selection and not filter
2019-10-29 00:44:22 +00:00
falsepositives :
- Other browsers
2019-11-13 20:37:25 +00:00
level : high