
Summary
This rule detects unusual outbound network activity specifically over the Kerberos protocol, which typically utilizes port 88. The detection mechanism focuses on initiating connections to this port while filtering out common legitimate processes such as the Local Security Authority Subsystem Service (lsass.exe) and popular web browsers like Chrome and Firefox. The presence of such connections, particularly if they deviate from established baseline behavior, may indicate attempts at lateral movement within the network or early stages of privilege escalation through delegation mechanisms. Monitoring for these behaviors is crucial as they can form part of an exploitative attack pattern used by threat actors to navigate their targets' environments undetected.
Categories
- Network
- Windows
Data Sources
- Network Traffic
Created: 2019-10-24