security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Suspicious Kerberos Authentication Ticket Request (#5364)

Browse Source 
* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update lateral_movement_credential_access_kerberos_correlation.toml
This commit is contained in:
Samirbous
2025-11-26 18:45:30 +00:00
committed by GitHub
parent 03ce151b82
commit c3d09165c4
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_credential_access_kerberos_correlation.toml
+7 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/10/28"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2025/10/28"
updated_date = "2025/11/25"
[rule]
author = ["Elastic"]
@@ -85,7 +85,12 @@ query = '''
sequence by source.port, source.ip with maxspan=3s
[network where host.os.type == "windows" and destination.port == 88 and
process.executable != null and
not process.executable : ("?:\\Windows\\system32\\lsass.exe", "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
not process.executable :
("?:\\Windows\\system32\\lsass.exe",
"\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
not (process.executable : ("C:\\Windows\\System32\\svchost.exe",
"C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
"F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe") and user.id in ("S-1-5-20", "S-1-5-18")) and
source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
[authentication where host.os.type == "windows" and event.code in ("4768", "4769")]
'''