heroui logo

Unknown Process Using The Kerberos Protocol

Splunk Security Content

View Source
Summary
This rule detects anomalous outbound connections made by processes other than 'lsass.exe' on port 88, which is typically associated with the Kerberos authentication protocol. The detection mechanism is predicated on data sourced from Endpoint Detection and Response (EDR) agents, analyzing process behavior and network traffic patterns. Under normal circumstances, only 'lsass.exe' should generally communicate with the Kerberos Distribution Center. If this detection activates, it may indicate malicious behavior, such as an attacker attempting to misuse the Kerberos protocol for unauthorized access or lateral movement within the network. Organizations should be vigilant as this kind of activity can signify serious security breaches. The implementation of this detection requires proper configuration of EDR logging to capture essential telemetry, including the process GUID and command-line executions, which should then be appropriately mapped within the Splunk Common Information Model (CIM).
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Network Traffic
ATT&CK Techniques
  • T1550
Created: 2024-11-13