MaxPatrol SIEM knowledge base

unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. unix_mitre_attck_discovery: PT-CR-1682: Unix_System_Network_Configuration_Discovery: Reconnaissance command for network settings and connections of a Unix host was executed pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software mysql_database: PT-CR-616: MySQL_Server_Connections_Discovery: Attempt to retrieve a list of server connections mitre_attck_discovery: PT-CR-2151: Subrule_Net_Share_Access: A network directory object was accessed. Attackers use network directory objects for lateral movement. mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-334: System_Network_Connections_Discovery: An attempt to retrieve network connection information is detected mitre_attck_discovery: PT-CR-2150: Net_Tool_Usage: The NET utility was used. Attackers use the NET utility with the "use" parameter for network reconnaissance, accessing network shares, credential checks, and lateral movement. active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_To_Samr_Srvsvc: A connection to samr and srvsvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of one of the SharpHound (BloodHound) information collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to winreg (2) and wkssvc (1) named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) LoggedOn information collection method hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts. hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.