Query Details
Kerberos Unusual Process
Query
// Kerberos traffic from unusual Windows process DeviceNetworkEvents | where RemotePort == 88 // -- BEGIN FALSE POSITIVES -- | where InitiatingProcessFileName != "" // missing sensor data | where InitiatingProcessFolderPath !~ "c:\\windows\\system32\\lsass.exe" // Windows default kerberos client // -- END FALSE POSITIVES -- | where AdditionalFields !contains "Posix" // ignore Linux and Mac | sort by Timestamp
Explanation
This query is looking for Kerberos traffic from a Windows process that is not the default Kerberos client. It filters out false positives and ignores Linux and Mac systems. The results are sorted by timestamp.
Details
C.J. May
Released: November 6, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,RemotePort,InitiatingProcessFileName,InitiatingProcessFolderPath,AdditionalFields,Timestamp
Operators
where==!=!~!contains|sort by