MaxPatrol SIEM knowledge base

supply_chain: PT-CR-1963: SupplyChain_TeamCity_Execution_Via_Request: The ability to remotely execute commands was enabled, and the code was executed. After receiving a TeamCity API access token, attackers can enable the rest.debug.processes.enable option which allows them to run commands on the server via POST requests sap_suspicious_user_activity: PT-CR-254: SAPASABAP_GW_Sapxpg_Call: SAPXPG run postgresql_database: PT-CR-1902: PostgreSQL_File_System_Actions: The interaction of the PostgreSQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems postgresql_database: PT-CR-1899: PostgreSQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges postgresql_database: PT-CR-1903: Subrule_PostgreSQL_Create_Process: Origination of subprocesses of a PostgreSQL database process mitre_attck_defense_evasion: PT-CR-1776: Browser_LOLBin: A process was started using trusted software vulnerabilities: PT-CR-3017: CVE_2024_22116_Zabbix_Command_Injection: Exploitation of the CVE-2024-22116 vulnerability in Zabbix, which allows the injection of arbitrary commands into script code. Attackers create or modify a macro so that it contains a command they want and specify that macro instead of the IP address of a monitored host. When the script is executed, the command specified in the macro is injected and executed. When this vulnerability is exploited, default scripts such as "Detect operating system," "Ping," or "Traceroute" are often used. unix_mitre_attck_execution: PT-CR-1018: Unix_Hacktool_Usage: The rule detects the use of security analysis tools on Unix hosts unix_mitre_attck_execution: PT-CR-2752: LOLESXi_Usage: A potentially dangerous command was executed in the ESXi shell on a virtual machine running on the VMware ESXi hypervisor unix_mitre_attck_execution: PT-CR-1031: Unix_Inline_Reverse_Or_Bind_Shell: Bind or reverse shell creation is detected based on specific command line patterns unix_mitre_attck_execution: PT-CR-1019: Unix_Recon_Tools_And_Commands: Reconnaissance commands were executed on a Unix host unix_mitre_attck_execution: PT-CR-1021: Unix_Suspicious_Command: Suspicious commands were executed on a Unix host unix_mitre_attck_execution: PT-CR-1071: Unix_Connect_From_Home_Dir: Network API call on behalf of a process run from the user's home directory unix_mitre_attck_execution: PT-CR-482: Unix_Connect_From_Suspicious_Dir: Network API call by a process run from a suspicious directory unix_mitre_attck_execution: PT-CR-296: Unix_Reverse_Shell: A reverse-shell connection using third-party tools unix_mitre_attck_execution: PT-CR-294: Unix_Reverse_Shell_Via_Bash: A reverse-shell connection using a Bash script unix_mitre_attck_execution: PT-CR-286: Unix_Bind_Shell: An external connection to a bind shell pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used pt_application_firewall: PT-CR-1906: PTAF_Command_Injection_Detected: PT AF detected OS command injection solaris_suspicious_network_activity: PT-CR-552: Solaris_Detect_Run_Reverse_Shell_By_Something: Reverse shell usage via third-party tools solaris_suspicious_network_activity: PT-CR-551: Solaris_Detect_Run_Bash_For_Reverse_Shell: Reverse shell usage via bash solaris_suspicious_network_activity: PT-CR-545: Solaris_Detect_Bind_Shell: A bind shell connection is detected it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed mysql_database: PT-CR-617: MySQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges unix_mitre_attck_command_and_control: PT-CR-2639: Unix_Possible_GS_Netcat_Usage: Attempt to connect to an external host on destination port 443. This may indicate that the gs-netcat utility is being used for network reconnaissance, accessing local resources, or lateral movement. pt_cs: PT-CR-2865: PTCS_Hacktool_Usage: A suspicious process or a process from an unusual directory was started pt_cs: PT-CR-2859: PTCS_Reverse_Shell: A process created a reverse shell connection to a remote host. After gaining remote access to a system using a shell, attackers can execute commands, intercept data, inject malicious code, move around in the internal network, or gain persistence in the infrastructure. pt_cs: PT-CR-2847: PTCS_Suspicious_Shell_Create: Suspicious start of a shell inside a container. This could be an attacker's attempt to manually execute interaction commands, perform reconnaissance, escalate privileges, break out of the container's isolated environment, or advance a post-exploitation attack. unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance.