Detection rules › Sigma
Uncommon Outbound Kerberos Connection - Security
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5156 | The Windows Filtering Platform has permitted a connection. |
Stages and Predicates
Stage 1: selection
DestPort: 88
Stage 2: not 1 of filter_main_lsass
or:
Application|startswith: 'C:'
Application|startswith: '\device\harddiskvolume'
Application|endswith: '\Windows\System32\lsass.exe'
Stage 3: not 1 of filter_optional_*
or:
or:
Application|endswith: '\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Application|endswith: '\Program Files\Google\Chrome\Application\chrome.exe'
or:
Application|startswith: 'C:'
Application|startswith: '\device\harddiskvolume'
or:
Application|endswith: '\Program Files (x86)\Mozilla Firefox\firefox.exe'
Application|endswith: '\Program Files\Mozilla Firefox\firefox.exe'
or:
Application|startswith: 'C:'
Application|startswith: '\device\harddiskvolume'
Application|endswith: '\tomcat\bin\tomcat8.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Application | ends_with |
|
Application | starts_with |
|
DestPort | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- RDP over Reverse SSH Tunnel WFP (drops 1 filter this rule applies)