Detection rules › Splunk
Windows Suspect Process With Authentication Traffic
The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
| Discovery | T1087.002 Account Discovery: Domain Account |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: tstats
tstats WHERE All_Traffic.app IN ("*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*", "*\\programdata\\*", "*\\temp\\*", "*\\users\\*") All_Traffic.dest_port IN ("389", "636", "88") BY All_Traffic.action, All_Traffic.app, All_Traffic.dest, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.direction, All_Traffic.dvc, All_Traffic.protocol, All_Traffic.protocol_version, All_Traffic.src, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.transport, All_Traffic.user, All_Traffic.vendor_product
Stage 2: search
search
Stage 3: rex
rex field=app ...
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
All_Traffic.app | in |
|
All_Traffic.dest_port | in |
|