MaxPatrol SIEM knowledge base

samba_active_directory_attacks: PT-CR-2955: SambaDC_Active_Directory_Data_Collection: LDAP requests to collect domain information were executed using the AD Explorer, SharpHound, JXplorer, or LDAP Administrator utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software mitre_attck_discovery: PT-CR-2150: Net_Tool_Usage: The NET utility was used. Attackers use the NET utility with the "use" parameter for network reconnaissance, accessing network shares, credential checks, and lateral movement. mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-334: System_Network_Connections_Discovery: An attempt to retrieve network connection information is detected mitre_attck_discovery: PT-CR-2151: Subrule_Net_Share_Access: A network directory object was accessed. Attackers use network directory objects for lateral movement. mysql_database: PT-CR-616: MySQL_Server_Connections_Discovery: Attempt to retrieve a list of server connections hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to the winreg (2) and wkssvc (1) pipes under the account of the same user from the same host was detected. This may indicate the use of the SharpHound (BloodHound) LoggedOn information collection technique hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts. hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_To_Samr_Srvsvc: A connection to the samr and srvsvc named pipes under the account of the same user from the same host was detected. This may indicate the use of one of the SharpHound (BloodHound) information collection techniques: LocalGroup, RDP, DCOM, LocalAdmin, or ComputerOnly hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with SharpHound or BloodHound software unix_mitre_attck_discovery: PT-CR-1682: Unix_System_Network_Configuration_Discovery: A reconnaissance command for network settings and connections of a Unix host was executed unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on.