security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Kerberos Traffic from Unusual Process (#2202)

Browse Source 
Excluding couple of FPs by process.executables to reduce FPs rate.

(cherry picked from commit 527507835f)
This commit is contained in:
Samirbous
2022-07-29 22:27:59 +02:00
committed by github-actions[bot]
parent 5b183e66fa
commit 0dfae46dcc
1 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_kerberoasting_unusual_process.toml
+11 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/02"
maturity = "production"
updated_date = "2022/05/09"
updated_date = "2022/07/29"
[rule]
author = ["Elastic"]
@@ -88,7 +88,16 @@ type = "eql"
query = '''
network where event.type == "start" and network.direction : ("outgoing", "egress") and
destination.port == 88 and source.port >= 49152 and
process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and
not process.executable :
("?:\\Windows\\System32\\lsass.exe",
"System",
"\\device\\harddiskvolume?\\windows\\system32\\lsass.exe",
"?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe",
"?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe",
"?:\\Program Files (x86)\\SuperScan\\scanner.exe",
"?:\\Program Files (x86)\\Nmap\\nmap.exe",
"\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe") and
destination.address !="127.0.0.1" and destination.address !="::1" and
/* insert false positives here */
not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
'''