Techniques
Sample rules
Uncommon Outbound Kerberos Connection
- source: sigma
- technicques:
- t1550
- t1550.003
- t1558
Description
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_lsass:
Image: C:\Windows\System32\lsass.exe
filter_optional_chrome:
Image:
- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
- C:\Program Files\Google\Chrome\Application\chrome.exe
filter_optional_firefox:
Image:
- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
- C:\Program Files\Mozilla Firefox\firefox.exe
filter_optional_tomcat:
Image|endswith: \tomcat\bin\tomcat8.exe
selection:
DestinationPort: 88
Initiated: 'true'
Uncommon Outbound Kerberos Connection - Security
- source: sigma
- technicques:
- t1558
- t1558.003
Description
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_lsass:
Application|endswith: \Windows\System32\lsass.exe
Application|startswith:
- \device\harddiskvolume
- 'C:'
filter_optional_chrome:
Application|endswith:
- \Program Files (x86)\Google\Chrome\Application\chrome.exe
- \Program Files\Google\Chrome\Application\chrome.exe
Application|startswith:
- \device\harddiskvolume
- 'C:'
filter_optional_firefox:
Application|endswith:
- \Program Files (x86)\Mozilla Firefox\firefox.exe
- \Program Files\Mozilla Firefox\firefox.exe
Application|startswith:
- \device\harddiskvolume
- 'C:'
filter_optional_tomcat:
Application|endswith: \tomcat\bin\tomcat8.exe
selection:
DestPort: 88
EventID: 5156