MaxPatrol SIEM knowledge base

unix_mitre_attck_discovery: PT-CR-1789: Unix_MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack postfix: PT-CR-2716: Postfix_User_Enumeration: Enumeration of existing users in the system via SMTP. An attacker can use the obtained information for further attacks (for example, password bruteforcing for the list of existing users). pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients mitre_attck_discovery: PT-CR-320: Account_Or_Group_Discovery_Via_SAM_R: An attempt to retrieve a list of accounts via SAM-R is detected mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected mitre_attck_discovery: PT-CR-1080: Delegated_Accounts_Recon: Dump of accounts with delegation privileges from Active Directory mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-77: User_Object_Ldap_Request: Dump of "user" objects from Active Directory mitre_attck_discovery: PT-CR-1086: Users_Discovery_Via_Skype: Domain accounts are uploaded via Skype (Lync) mitre_attck_discovery: PT-CR-319: Account_Discovery: An attempt to retrieve a list of accounts is detected mitre_attck_discovery: PT-CR-2548: LocalGroupListMembers_From_Remote_Host: A security-enabled local group membership was enumerated from a remote host mitre_attck_discovery: PT-CR-1083: Ldapdomaindump_Queries: Active Directory information is dumped using ldapdomaindump mitre_attck_discovery: PT-CR-88: SPN_LDAP_Requests: Dump of "service" objects from Active Directory freeipa: PT-CR-2167: FreeIPA_Kerbrute_Userenum: The Kerbrute utility was used in the FreeIPA domain in the userenum mode to discover existing account names freeipa: PT-CR-2601: FreeIPA_Directory_Data_Collection: JXplorer or a similar utility was used in the network to collect information about domain computers, users, groups, and so on in the FreeIPA domain. freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain freeipa: PT-CR-2146: FreeIPA_Recon_Commands: Commands typically used for reconnaissance were executed in the FreeIPA domain freeipa: PT-CR-2577: FreeIPA_Cache_Credentials_Access: Access to file cache_credentials containing domain users' cached credentials freeipa: PT-CR-2576: FreeIPA_Id2entry_Dump: Access to file id2entry.db containing domain users' data clickhouse: PT-CR-1570: ClickHouse_Account_Discovery: An attempt to retrieve a list of user accounts is detected clickhouse: PT-CR-1573: ClickHouse_Users_Privileges_Discovery: An attempt to receive information about user privileges is detected bruteforce: PT-CR-887: Windows_Password_Spraying: Password spraying on a Windows host. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. active_directory_attacks: PT-CR-827: Active_Directory_Snapshot: Creating a snapshot of the Active Directory structure. This may indicate that intelligence is being conducted in the Active Directory structure. An attacker can use the data obtained to form an attack vector and increase privileges active_directory_attacks: PT-CR-2550: LDAP_Discovery: A user executed a suspicious LDAP request that may indicate reconnaissance in the domain active_directory_attacks: PT-CR-1986: Machine_Account_Quota_Access: A user accessed the MS-DS-Machine-Account-Quota attribute (the number of computer accounts that a user is allowed to create in a domain). Attackers can view this attribute to change it later. mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services. hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-841: SilentHound_AD_Enumeration: Credentials from Active Directory are acquired via enumeration using SilentHound hacking_tools: PT-CR-2244: SOAPHound_Usage: SOAPHound was used, which is a tool that collects Active Directory data via the Active Directory Web Services (ADWS) protocol hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-1790: MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to winreg (2) and wkssvc (1) named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) LoggedOn information collection method hacking_tools: PT-CR-2017: SharpHound_LDAP_Requests: Detecting the launch of the SharpHound (BloodHound) tool using one of the methods - ObjectProps, ACL, Trusts, Container.ObjectProps - performs Object Properties collection for properties such as LastLogon or PwdLastSet; ACL - collects abusable permissions on objects in Active Directory; Trusts - collects domain trusts; Container - collects OU tree structure and Group Policy links hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.