Rules Contributing to Suspicious Connection to Another Process Alerts
The following rules are used to identify suspicious connection to another process. Any one or more of these will trigger Suspicious Connection to Another Process Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Windows Events Required: 5156
The Windows Detect Profile (Low Volume) covers these required Windows events.
| Title | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Remote PowerShell Sessions Network Connections (WinRM) | Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 More details   Rule IDQuery{'selection': {'EventID': 5156, 'DestPort': ['5985', '5986'], 'LayerRTID': '44'}, 'filter': {'Application': ['System']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for: 
 Rule SourceSigmaHQ,13acf386-b8c6-4fe0-9a6e-c4756b974698 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
 Additional Information
 | ||||||||
| Suspicious Outbound Kerberos Connection - Security | Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. More details   Rule IDQuery{'selection': {'EventID': 5156, 'DestPort': '88', 'Direction': '%%14593'}, 'filter_exact': {'Application': ['System', '\\device\\harddiskvolume*\\windows\\system32\\lsass.exe', '\\device\\harddiskvolume*\\*\\nmap.exe', '\\device\\harddiskvolume*\\*\\chrome.exe', '\\device\\harddiskvolume*\\*\\firefox.exe', '\\device\\harddiskvolume*\\*\\msedge.exe', '\\device\\harddiskvolume*\\*\\iexplore.exe']}, 'condition': 'selection and not 1 of filter_*'} Log SourceStellar Cyber Windows Server Sensor configured for: 
 Rule SourceSigmaHQ,eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 Author: Ilyas Ochkov, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
 Additional Information
 | 
