{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/omnissa/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend","Windows","Horizon","RemoteManager","VMware View"],"_cs_severities":["high"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","VMware","Omnissa","IGEL","Elastic"],"content_html":"\u003cp\u003eThis detection rule correlates network connections to the standard Kerberos port (88) by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller. It aims to identify potential lateral movement or credential access attempts within a Windows domain. The rule focuses on identifying processes other than the standard \u003ccode\u003elsass.exe\u003c/code\u003e or known Tomcat services making Kerberos requests. This is important for defenders as Kerberos is a critical authentication protocol and unusual activity can signal malicious behavior. The rule leverages EQL and considers data from various sources including endpoint events, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows endpoint within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious tool or leverages an existing binary to request a Kerberos ticket (TGT or TGS).\u003c/li\u003e\n\u003cli\u003eThis tool establishes a network connection to the domain controller on port 88 (Kerberos).\u003c/li\u003e\n\u003cli\u003eThe domain controller receives the Kerberos ticket request, logging event codes 4768 (Kerberos authentication ticket request) or 4769 (Kerberos service ticket request).\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies this network connection originating from an unusual process (not lsass.exe or known tomcat services) on the endpoint.\u003c/li\u003e\n\u003cli\u003eThe rule correlates this network connection with the corresponding Kerberos authentication event on the domain controller within a defined timeframe (3 seconds).\u003c/li\u003e\n\u003cli\u003eSuccessful authentication may allow the attacker to move laterally within the network or access sensitive resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained Kerberos ticket to authenticate to other systems or services in the domain, furthering their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to lateral movement within the network, unauthorized access to sensitive data, and potential compromise of critical systems. The rule\u0026rsquo;s risk score is 73, indicating a high level of risk associated with this type of activity. Organizations could experience data breaches, financial losses, and reputational damage if such attacks are not detected and mitigated promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM or Elastic environment to detect suspicious Kerberos authentication ticket requests.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event ID 3 (Network Connection) logging to provide the necessary network connection data.\u003c/li\u003e\n\u003cli\u003eEnable auditing for Kerberos authentication service (event ID 4768) and Kerberos service ticket operations (event ID 4769) on domain controllers.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts by examining the process executable, command line, target user name, and associated network activity as described in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eTune the rule\u0026rsquo;s process exceptions to account for legitimate Kerberos-capable clients in your environment.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts where the source process is unsigned, renamed, user-writable, signer-mismatched, or outside known AD audit, Kerberos diagnostic, or security-test tooling as detailed in the note section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T17:45:36Z","date_published":"2026-05-12T17:45:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-kerberos-auth/","summary":"This rule detects suspicious Kerberos authentication ticket requests by correlating network connections to the standard Kerberos port (88) from a source machine with a Kerberos authentication ticket request from the target domain controller, which could indicate lateral movement or credential access attempts within a Windows domain.","title":"Suspicious Kerberos Authentication Ticket Request","url":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-kerberos-auth/"}],"language":"en","title":"CraftedSignal Threat Feed — Omnissa","version":"https://jsonfeed.org/version/1.1"}