Rules Contributing to Suspicious Connection to Another Process Alerts
The following rules are used to identify suspicious activity with Suspicious Connection to Another Process. Any one or more of these will trigger Suspicious Connection to Another Process Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Remote PowerShell Sessions Network Connections (WinRM) |
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 More details
Rule IDQuery{'selection': {'EventID': 5156, 'DestPort': ['5985', '5986'], 'LayerRTID': '44'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,13acf386-b8c6-4fe0-9a6e-c4756b974698 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Outbound Kerberos Connection - Security |
Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. More details
Rule IDQuery{'selection': {'EventID': 5156, 'DestPort': '88', 'Direction': '%%14593'}, 'filter_exact': {'Application': ['System', '\\device\\harddiskvolume*\\windows\\system32\\lsass.exe', '\\device\\harddiskvolume*\\*\\nmap.exe', '\\device\\harddiskvolume*\\*\\chrome.exe', '\\device\\harddiskvolume*\\*\\firefox.exe', '\\device\\harddiskvolume*\\*\\msedge.exe', '\\device\\harddiskvolume*\\*\\iexplore.exe']}, 'condition': 'selection and not 1 of filter_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 Author: Ilyas Ochkov, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|