valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9cd9a301c2
SigmaHQ/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00

31 lines
842 B
YAML
Raw Blame History

title: Suspicious Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus8
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2019/11/13
tags:
- attack.lateral_movement
- attack.t1208
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort: 88
Initiated: 'true'
filter:
Image|endswith:
- '\lsass.exe'
- '\opera.exe'
- '\chrome.exe'
- '\firefox.exe'
condition: selection and not filter
falsepositives:
- Other browsers
level: high
Reference in New Issue View Git Blame Copy Permalink