kerberos_scan_external

Explanation

This NDM is designed to detect Kerberos scanning that is hitting the customer’s network from the Internet. Kerberos is a protocol for authenticating requests between hosts on a network.

What to Look For

Scanning activity on the Internet is quite commonplace. Under normal circumstances, Kerberos should not be exposed to the open Internet.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise

Active Scanning, Technique T1595 - Enterprise