Rules Contributing to Suspicious Connection to Another Process Alerts

The following rules are used to identify suspicious activity with Suspicious Connection to Another Process. Any one or more of these will trigger Suspicious Connection to Another Process Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Remote PowerShell Sessions Network Connections (WinRM)

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Suspicious Outbound Kerberos Connection - Security

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.