Kerberos Traffic from Unusual Processedit
Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
Version: 6 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 8.2.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positivesedit
HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.
Investigation guideedit
## Triage and analysis ### Investigating Kerberos Traffic from Unusual Process Kerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography. Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets. #### Possible investigation steps - Investigate script execution chain (parent process tree). - Investigate other alerts related to the host and user in the last 48 hours. - Check if the Destination IP is related to a Domain Controller. - Review event ID 4769 for suspicious ticket requests. ### False positive analysis - This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives. - Exceptions can be added for noisy/frequent connections. ### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Scope possible compromised credentials based on ticket requests. - Isolate the involved host to prevent further post-compromise behavior. ## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
Rule queryedit
network where event.type == "start" and network.direction : ("outgoing", "egress") and destination.port == 88 and source.port >= 49152 and process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and /* insert false positives here */ not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Steal or Forge Kerberos Tickets
- ID: T1558
- Reference URL: https://attack.mitre.org/techniques/T1558/
Rule version historyedit
- Version 6 (8.2.0 release)
-
- Formatting only
- Version 5 (8.1.0 release)
-
-
Updated query, changed from:
network where event.type == "start" and network.direction : ("outgoing", "egress") and destination.port == 88 and source.port >= 49152 and process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and /* insert False Positives here */ not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
-
- Version 4 (7.16.0 release)
-
-
Updated query, changed from:
network where event.type == "start" and network.direction == "outgoing" and destination.port == 88 and source.port >= 49152 and process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and /* insert False Positives here */ not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
-
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only