Kerberos Traffic from Non-Standard Process

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Medium

Description

The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally.

Attacker's Goals

  • using a custom protocol implementation that offers malicious functionality
  • Using the well-known Kerberos port with a different protocol to evade detection.
    Either way, the attacker's goal is to gain access to another endpoint on your network.
    The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.

Investigative actions

  • Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB.
  • Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots.
  • Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation.
  • Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.
  • Check if this process was running on other endpoints as well.

Variations

Rare Kerberos Traffic from a Process

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Low

Description

The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally.

Attacker's Goals

  • using a custom protocol implementation that offers malicious functionality
  • Using the well-known Kerberos port with a different protocol to evade detection.
    Either way, the attacker's goal is to gain access to another endpoint on your network.
    The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.

Investigative actions

  • Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB.
  • Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots.
  • Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation.
  • Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.
  • Check if this process was running on other endpoints as well.