This analytic detects suspicious processes in Windows that are attempting network authentication using domain protocols from unconventional locations, such as user-controlled or temporary directories. Specifically, it identifies executables communicating over ports utilized by LDAP (389), LDAPS (636), and Kerberos (88). By leveraging network traffic data, the rule highlights potentially malicious behaviors where processes, which normally operate from legitimate application directories, originate from directories like 'Users', 'ProgramData', 'Temp', 'AppData', or 'Windows\Tasks'. This is significant because malicious actors often run their exploits from these unsecured areas, thus making the detection a potential indicator of compromise, which could lead to further exploitation or lateral movement within the network. To implement this analytic effectively, Sysmon must be configured to generate relevant network events that capture this behavior.