Kerberos Traffic from Unusual Process | Elastic Security Solution [8.2]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Kerberos Pre-authentication Disabled for User Kernel Module Removal »

Kerberos Traffic from Unusual Processedit

Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Credential Access

Version: 6 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.2.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.

Investigation guideedit

## Triage and analysis

### Investigating Kerberos Traffic from Unusual Process

Kerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for
client/server applications by using secret-key cryptography.

Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of
traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of
Kerberos tickets.

#### Possible investigation steps

- Investigate script execution chain (parent process tree).
- Investigate other alerts related to the host and user in the last 48 hours.
- Check if the Destination IP is related to a Domain Controller.
- Review event ID 4769 for suspicious ticket requests.

### False positive analysis

- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a
non-standard port or destination IP address unrelated to Domain controllers can create false positives.
- Exceptions can be added for noisy/frequent connections.

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Scope possible compromised credentials based on ticket requests.
- Isolate the involved host to prevent further post-compromise behavior.

## Config

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.

Rule queryedit

network where event.type == "start" and network.direction :
("outgoing", "egress") and destination.port == 88 and source.port >=
49152 and process.executable != "C:\\Windows\\System32\\lsass.exe"
and destination.address !="127.0.0.1" and destination.address !="::1"
and /* insert false positives here */ not process.name in
("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe",
"MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe",
"opera.exe", "firefox.exe")

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Steal or Forge Kerberos Tickets
- ID: T1558
- Reference URL: https://attack.mitre.org/techniques/T1558/

Rule version historyedit

Version 6 (8.2.0 release)

Formatting only

Version 5 (8.1.0 release)

Updated query, changed from:

network where event.type == "start" and network.direction :
("outgoing", "egress") and destination.port == 88 and source.port >=
49152 and process.executable != "C:\\Windows\\System32\\lsass.exe"
and destination.address !="127.0.0.1" and destination.address !="::1"
and /* insert False Positives here */ not process.name in
("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe",
"MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe",
"opera.exe", "firefox.exe")

Version 4 (7.16.0 release)

Updated query, changed from:

network where event.type == "start" and network.direction ==
"outgoing" and destination.port == 88 and source.port >= 49152 and
process.executable != "C:\\Windows\\System32\\lsass.exe" and
destination.address !="127.0.0.1" and destination.address !="::1" and
/* insert False Positives here */ not process.name in ("swi_fc.exe",
"fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe",
"MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe",
"opera.exe", "firefox.exe")

Version 3 (7.12.0 release)

Formatting only

Version 2 (7.11.2 release)

Formatting only

« Kerberos Pre-authentication Disabled for User Kernel Module Removal »