Product
high
advisory
Suspicious Kerberos Authentication Ticket Request
2 rules 2 TTPsThis rule detects suspicious Kerberos authentication ticket requests by correlating network connections to the standard Kerberos port (88) from a source machine with a Kerberos authentication ticket request from the target domain controller, which could indicate lateral movement or credential access attempts within a Windows domain.
Elastic Defend +4
lateral-movement
threat-detection
windows
2r
2t
medium
threat
Kerberos Traffic from Unusual Process
2 rules 2 TTPsDetects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.
Elastic Defend +22
kerberoasting
credential-access
lateral-movement
windows
2r
2t