diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index f127fa85f..6c27d0f34 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/11/04" +updated_date = "2022/12/28" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -99,19 +99,42 @@ type = "eql" query = ''' network where event.type == "start" and network.direction : ("outgoing", "egress") and - destination.port == 88 and source.port >= 49152 and + destination.port == 88 and source.port >= 49152 and process.pid != 4 and not process.executable : ("?:\\Windows\\System32\\lsass.exe", "System", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe", "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", "?:\\Program Files (x86)\\SuperScan\\scanner.exe", "?:\\Program Files (x86)\\Nmap\\nmap.exe", - "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe") and - destination.address !="127.0.0.1" and destination.address !="::1" and - /* insert false positives here */ - not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe") + "?:\\Program Files\\Tenable\\Nessus\\nessusd.exe", + "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe", + "?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe", + "\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe", + "?:\\Program Files (x86)\\Nmap OEM\\nmap.exe", + "?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe", + "?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe", + "?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe", + "?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe", + "?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe", + "?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files\\Internet Explorer\\iexplore.exe", + "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + ) and + destination.address != "127.0.0.1" and destination.address != "::1" '''