network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and
destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : "*" and
not
(
process.executable : (
"\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe",
"\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe",
"\\device\\harddiskvolume?\\windows\\system32\\lsass.exe",
"?:\\Program Files\\Amazon Corretto\\jdk1*\\bin\\java.exe",
"?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe",
"?:\\Program Files\\BlackBerry\\UEM\\Core\\tomcat-core\\bin\\tomcat9.exe",
"?:\\Program Files\\DBeaver\\dbeaver.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\com.docker.backend.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe",
"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files\\Internet Explorer\\iexplore.exe",
"?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe",
"?:\\Program Files\\Mozilla Firefox\\firefox.exe",
"?:\\Program Files\\Oracle\\VirtualBox\\VirtualBoxVM.exe",
"?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe",
"?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe",
"?:\\Program Files\\Silverfort\\Silverfort AD Adapter\\SilverfortServer.exe",
"?:\\Program Files\\Tenable\\Nessus\\nessusd.exe",
"?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
"?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe",
"?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe",
"?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe",
"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe",
"?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe",
"?:\\Program Files (x86)\\Nmap\\nmap.exe",
"?:\\Program Files (x86)\\Nmap OEM\\nmap.exe",
"?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe",
"?:\\Program Files (x86)\\SAP BusinessObjects\\tomcat\\bin\\tomcat9.exe",
"?:\\Program Files (x86)\\SuperScan\\scanner.exe",
"?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe",
"?:\\Windows\\System32\\lsass.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\SysWOW64\\vmnat.exe",
"?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe",
"System"
) and process.code_signature.trusted == true
) and
destination.address != "127.0.0.1" and destination.address != "::1"
Install detection rules in Elastic Security
Detect Kerberos Traffic from Unusual Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).