Kerberos Traffic from Unusual Processedit

Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.

Rule type: eql

Rule indices:

  • winlogbeat-*

Severity: medium

Risk score: 43

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.

Rule queryedit

network where event.type == "start" and network.direction ==
"outgoing" and destination.port == 88 and source.port >= 49152 and
process.executable != "C:\\Windows\\System32\\lsass.exe" and
destination.address !="" and destination.address !="::1" and
/* insert False Positives here */ not in ("swi_fc.exe",
"fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe",
"MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe",
"opera.exe", "firefox.exe")

Threat mappingedit


Rule version historyedit

Version 2 (7.11.2 release)
  • Formatting only