SigmaHQ/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
Thomas Patzke 373424f145 Rule fixes
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00

30 lines
821 B
YAML

title: Suspicious Outbound Kerberos Connection
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus8
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2019/11/13
tags:
- attack.lateral_movement
- attack.t1208
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestinationPort: 88
filter:
Image|endswith:
- '\lsass.exe'
- '\opera.exe'
- '\chrome.exe'
- '\firefox.exe'
condition: selection and not filter
falsepositives:
- Other browsers
level: high