Rules Contributing to Suspicious Connection to Another Process Alerts
The following rules are used to identify suspicious connection to another process. Any one or more of these will trigger Suspicious Connection to Another Process Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
---|---|
Remote PowerShell Sessions Network Connections (WinRM) |
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 |
Suspicious Outbound Kerberos Connection - Security |
Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. |