Product
medium
threat
Potential Command and Control via Internet Explorer COM Abuse
2 rules 4 TTPsThis rule detects potential command and control activity where Internet Explorer (iexplore.exe) is started via the Component Object Model (COM) and makes unusual network connections, indicating adversaries might exploit Internet Explorer via COM to evade detection and bypass host-based firewall restrictions.
Internet Explorer
command-and-control
com
iexplore
windows
2r
4t
medium
threat
Kerberos Traffic from Unusual Process
2 rules 2 TTPsDetects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.
Elastic Defend +22
kerberoasting
credential-access
lateral-movement
windows
2r
2t