MaxPatrol SIEM knowledge base

pt_nad: PT-CR-737: NAD_SAM_Account_Name_Spoofing: A user requested a TGT sap_attack_detection: PT-CR-158: SAPASABAP_Start_Critical_Transaction: Start of SAP critical transaction sap_attack_detection: PT-CR-157: SAPASABAP_Start_Critical_Module: Start of a SAP critical functional module hacking_tools: PT-CR-2565: Cobalt_Strike_Elevate: A user escalated their privileges. The detected actions are consistent with the execution of the "elevate" command using a Cobalt Strike beacon on an infected host. pt_ngfw: PT-CR-2935: NGFW_SAM_Account_Name_Spoofing: PT NGFW detected a TGT request under an account that matches a domain controller name vulnerabilities: PT-CR-2074: Subrule_CVE_2023_4911_GLIBC_Buffer_Overflow: Sabrul to rule CVE_2023_4911_GLIBC_Buffer_Overflow. The rule detects local privilege escalation via a buffer overflow. Attackers using the CVE-2023-4911 vulnerability can start SUID programs to execute code with elevated privileges vulnerabilities: PT-CR-1719: PrivEsc_Via_UAC_Elevated_Data: An attempt to elevate privileges to SYSTEM using an IFaultrepElevatedDataCollectionUAC utility vulnerabilities: PT-CR-889: LPE_7zip_CVE_2022_29072: Possible exploitation of vulnerability CVE-2022-29072 in 7-Zip for privilege elevation vulnerabilities: PT-CR-1994: CVE_2023_22515_Confluence: Exploitation of vulnerability CVE-2023-22515 in Confluence that allows creating administrator accounts without authentication on the server vulnerabilities: PT-CR-890: Possible_CVE_2019_1388: Possible exploitation of vulnerability CVE-2019-1388 vulnerabilities: PT-CR-683: CVE_2022_26503_Subrule_2: Process Veeam.EndPoint.Service started another process vulnerabilities: PT-CR-2941: Possible_CVE_2022_0847_Dirty_Pipe: Sensitive read-only files were opened and modified using the splice system call, which could allow an attacker to start a process as root. This activity may indicate exploitation of the CVE-2022-0847 Dirty-Pipe vulnerability. vulnerabilities: PT-CR-829: Certified_Priv_Esc_CVE_2022_26923: The domain privileges were escalated using vulnerability CVE-2022-26923 in Active Directory Certificate Services vulnerabilities: PT-CR-1983: Possible_CVE_2023_20198_Cisco_IOS_XE: Possible exploitation of vulnerability CVE-2023-20198 in Cisco IOS XE associated with privilege escalation by creating a new administrator account vulnerabilities: PT-CR-628: CVE_2021_41379_Exploitation: Vulnerability CVE-2021-41379 was exploited vulnerabilities: PT-CR-2755: MS17_010_SMB_Privellege_Escalation: Possible exploitation of an MS17-010 vulnerability for privilege escalation. Attackers can exploit flaws in the SMB protocol to gain the highest privileges and execute arbitrary code. Arbitrary code can be executed through remote configuration of Windows services. vulnerabilities: PT-CR-863: Symlink_Via_SpoolDirectory: A non-privileged user wrote using a link or the spooler service vulnerabilities: PT-CR-891: Possible_CVE_2020_1350: Possible exploitation of vulnerability CVE-2020-1350 vulnerabilities: PT-CR-2929: CVE_2024_30085_PrivEsc_CldFlt: Possible exploitation of vulnerability CVE-2024-30085 in Windows Cloud Files Mini Filter Driver. This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges. vulnerabilities: PT-CR-2078: CVE_2023_4911_GLIBC_Buffer_Overflow: The rule detects local privilege escalation via a buffer overflow. Attackers using the CVE-2023-4911 vulnerability can start SUID programs to execute code with elevated privileges vulnerabilities: PT-CR-849: PrintSpooler_PrivEsc: Privileges were escalated using a vulnerability in the print spooler service vulnerabilities: PT-CR-892: Possible_CVE_2021_1647: Possible exploitation of vulnerability CVE-2021-1647 in Windows Defender vulnerabilities: PT-CR-893: PrinterPort_Backdoor: Possible exploitation of vulnerability CVE-2020-1048 in Windows Print Spooler service vulnerabilities: PT-CR-681: CVE_2022_26503_Exploitation: Vulnerability CVE-2022-26503 was exploited vulnerabilities: PT-CR-850: PrintSpooler_PrivEsc_CVE_2022_30206: Privileges were escalated using vulnerability CVE-2022-30206 in the print spooler service vulnerabilities: PT-CR-2754: MS17_010_SMB_Code_Execution: An MS17-010 vulnerability was exploited. MS17-010 vulnerabilities allow attackers to escalate privileges to SYSTEM by exploiting flaws in the SMBv1 protocol. Attackers can then create a malicious service using access to the "svcctl" named pipe responsible for remote configuration of Windows services on hosts, and execute arbitrary code. vulnerabilities: PT-CR-2469: CVE_2024_26229_CSC_Service_PrivEsc: Exploitation of vulnerability CVE-2024-26229 in the csc.sys offline files driver allows a low-privileged attacker to escalate their privileges to NT AUTHORITY/SYSTEM in the current command-line session. This can lead to the compromise of local and domain user accounts, as well as accounts of users who have previously accessed the host. By using the compromised data, the attacker can move laterally within the target infrastructure. vulnerabilities: PT-CR-862: Subrule_StartProcess_And_Create_ConfigMsi: A user launched an application that is trying to create the system directory C:\Config.msi unix_mitre_attck_privilege_escalation: PT-CR-2403: CVE_2024_1086_Linux_LPE: Exploitation of vulnerability CVE-2024-1086 in the netfilter component. An attacker can execute code at the kernel level and escalate privileges on the system using a double free error in the nf_tables module. unix_mitre_attck_privilege_escalation: PT-CR-1747: Unix_Exploiting_OverlayFS: Privilege escalation using the Linux kernel OverlayFS vulnerability (CVE-2023-0386) active_directory_attacks: PT-CR-1203: Abuse_Kerberos_RC4: Possible exploitation of the CVE-2022-33679 vulnerability in Kerberos, which will allow attackers to obtain an authenticated session on behalf of the victim and execute arbitrary code on a compromised node. This may allow an attacker to extract the credentials of other users and move horizontally to other infrastructure nodes active_directory_attacks: PT-CR-2298: Zerologon_Attack: Exploitation of vulnerability CVE-2020-1472 (Zerologon) that allows you to change passwords to domain controller accounts active_directory_attacks: PT-CR-837: KrbRelay_Usage: There are signs of using the KrbRelay or DavRelayUp utility, which allows you to use the lack of signature of LDAP requests to relay the authentication process and receive a TGS ticket for the SPN account on behalf of the administrator. After that, an attacker can elevate their privileges to a local administrator and execute malicious code on a compromised node active_directory_attacks: PT-CR-838: ShadowCred_Used: The use of the msds-keycredentiallink attribute to authorize a machine account in a domain without using a password was detected. This is a sign of using KrbRelayUp to locally elevate privileges using Shadow Credentials. An attacker can use this to obtain the credentials of other users and horizontally move to other infrastructure nodes active_directory_attacks: PT-CR-2542: RemoteKrbRelay_Usage: A user who is not the connection initiator was authenticated by Kerberos. This may indicate the use of the RemoteKrbRelay utility that allows you to remotely trigger and relay Kerberos authentication in order to gain access to a service with the privilege level of the target account using the CertifiedDCOM and SilverPotato techniques. active_directory_attacks: PT-CR-654: SAM_Account_Name_Spoofing: A user changed the SamAccountName of an AD object to something unusual (the presence or absence of the "$" symbol at the end of the name does not correspond to the object type) or requested a TGT under an account that matches the name of a domain controller. This may indicate a SamAccountName Spoofing attack that can allow attackers to escalate privileges or carry out a Targeted Timeroasting attack. mitre_attck_execution: PT-CR-1908: Execute_Over_WER_Service: Attackers can exploit a WER service vulnerability that allows spoofing an executable file and running an attackers' file with system privileges mitre_attck_privilege_escalation: PT-CR-853: RoguePotato_PrivEsc: Privileges are escalated using the RoguePotato technique mitre_attck_privilege_escalation: PT-CR-847: MultiPotato_PrivEsc: The MultiPotato tool is used to escalate privileges mitre_attck_privilege_escalation: PT-CR-1933: GodPotato_PrivEsc: Privilege escalation using the GodPotato technique allows an attacker with the ImpersonatePrivilege privilege to escalate their privileges to the System user. After this, the attacker can extract from the compromised node credentials for various services of local users, and in some cases, other users who accessed this node. Using this data will allow the attacker to move horizontally (Lateral Movement) to other infrastructure nodes. mitre_attck_privilege_escalation: PT-CR-2135: PetitPotato_PrivEsc: PetitPotato was used to escalate privileges mitre_attck_privilege_escalation: PT-CR-855: Subrule_Action_After_Pipe_Connected: The MultiPopato tool is used to escalate privileges to local administrator or System mitre_attck_privilege_escalation: PT-CR-1217: RasMan_Potato: Local escalation of privileges from a service account to SYSTEM using the RasmanPotato technique is detected mitre_attck_privilege_escalation: PT-CR-2147: LocalPotato_PrivEsc: Privilege escalation with the LocalPotato technique by replacing the context during local NTLM authentication mitre_attck_privilege_escalation: PT-CR-2491: CVE_2022_38028_PrivEsc_Via_Spoolsv: Exploitation of vulnerability CVE-2022-38028 in Windows Print Spooler, which can lead to the execution of malicious files with SYSTEM level privileges mitre_attck_privilege_escalation: PT-CR-861: Subrule_Pwned_Pipe: A process opened a suspicious pipe mitre_attck_privilege_escalation: PT-CR-846: JuicyPotato_PrivEsc: Detects privilege escalation to the System user using the JuicyPotato or JuicyPotatoNG technique. After this, the attacker can extract from the compromised node credentials for various services of local users, and in some cases, other users who accessed this node. Using this data will allow the attacker to move horizontally (Lateral Movement) to other infrastructure nodes. mitre_attck_privilege_escalation: PT-CR-852: Remote_Potato_Relay_Hash: The NTLM hash of a logged on user is captured using the RemotePotato technique mitre_attck_privilege_escalation: PT-CR-2500: SilverPotato_PrivEsc: Privilege escalation using the SilverPotato technique. This technique allows users that belong to the "Distributed COM Users" or "Performance Log Users" group to remotely interact with an application in the interactive user context and trigger authentication which is then relayed to the target host. mitre_attck_privilege_escalation: PT-CR-2241: Subrule_S4UTomato_IMarshal_Creation: A process with command line content typical of the S4UTomato utility created an IMarshal interface mitre_attck_privilege_escalation: PT-CR-851: Remote_Potato_Capture_Hash: The user's NTLM hash is captured using the RemotePotato technique mitre_attck_privilege_escalation: PT-CR-2242: S4UTomato_PrivEsc: The privileges of a service account were escalated to the SYSTEM level using the S4UTomato utility mitre_attck_privilege_escalation: PT-CR-1218: Subrule_RasMan_Pipe: A subrule for local privilege escalation with Rasman Potato mitre_attck_privilege_escalation: PT-CR-860: Subrule_Not_Self_Relay: An attempt to conduct an NTLM relay attack is detected mitre_attck_privilege_escalation: PT-CR-2490: Subrule_CVE_2022_38028_Creating_Artifacts: Copying and modifying JavaScript constraint file mpdw-constraints.js and registering a custom protocol handler to escalate privileges mitre_attck_privilege_escalation: PT-CR-1353: PrivEsc_Via_Comctl32: An exploitation of a logical error when creating a folder that requires administrator rights to access. This exploitation allows to elevate user's privilege level to SYSTEM when a specific trigger triggers. mitre_attck_privilege_escalation: PT-CR-859: Subrule_IMarshal_Interface: Creation of an IMarshal interface is detected mitre_attck_privilege_escalation: PT-CR-2063: CoercedPotato_PrivEsc: Attempt to use the CoercedPotato technique. Privilege escalation using the CoercedPotato technique allows attackers with the ImpersonatePrivilege privilege to escalate their privileges to the SYSTEM level. After that, attackers can use the compromised host to retrieve credentials of local users, and in some cases other users that accessed this host. This data will allow attackers to perform lateral movement in the infrastructure. mitre_attck_privilege_escalation: PT-CR-2596: IHxExec_Arbitrary_Code_Execution: Arbitrary code was executed on behalf of another user using the IHxExec utility. This utility uses the Execute method of COM object "IHxHelpPaneServer" to execute code in the context of a selected active session. mitre_attck_privilege_escalation: PT-CR-857: Subrule_Elevated_Process_Run: A non-privileged user ran a process mitre_attck_privilege_escalation: PT-CR-465: Spoolsv_Priv_Escalation: A suspicious behavior of the built-in Microsoft Windows utility "spoolsv" is detected mitre_attck_privilege_escalation: PT-CR-2148: Subrule_HTTP_Request: A process sent an HTTP request and received a response from the system mitre_attck_privilege_escalation: PT-CR-1212: PrintNotify_Potato: Privileges of a service account are escalated using the PrintNotifyPotato technique mitre_attck_privilege_escalation: PT-CR-466: Suspicious_Windows_Kernel_Creating: A Windows NT operating system executable is created