MaxPatrol SIEM knowledge base

supply_chain: PT-CR-1935: SupplyChain_TeamCity_Modify_Group: A user changed group membership or role in TeamCity. Attackers can perform such actions to maintain access supply_chain: PT-CR-1781: SupplyChain_Mass_Maintainer_Or_Owner_Role_Assign: Mass assignment of the Maintainer or Owner roles supply_chain: PT-CR-1778: SupplyChain_Maintainer_Or_Owner_Role_Assign: Assignment of the Maintainer or Owner role mongo_database: PT-CR-530: MongoDB_Grant_High_Role: An attempt to elevate privileges of an account enterprise_1c_and_bitrix: PT-CR-674: Enterprise_1C_Manipulate_User_With_Critical_Roles: A critical user account was changed or deleted enterprise_1c_and_bitrix: PT-CR-678: Enterprise_1C_Multiple_User_Unlock: Batch account unlocking enterprise_1c_and_bitrix: PT-CR-675: Enterprise_1C_Multiple_User_Password_Change: Multiple password changes for the same account mssql_database: PT-CR-417: MSSQL_Login_Configuration_Change: An attempt to change database login settings mssql_database: PT-CR-405: MSSQL_Administrator_Role_Manipulation: An attempt to assign the administrator role to an account kaspersky: PT-CR-1846: Kaspersky_Enable_User: A user enabled an account kaspersky: PT-CR-1848: Kaspersky_Add_Role_To_User: A user added new rights to a user or group pt_nad: PT-CR-737: NAD_SAM_Account_Name_Spoofing: A user requested a TGT vulnerabilities: PT-CR-2199: CVE_2023_7028_Gitlab_Password_Reset: Exploitation of vulnerability CVE-2023-7028 in Gitlab Community Edition and Enterprise Edition. This vulnerability allows user account password reset emails to be delivered to unverified email addresses. vulnerabilities: PT-CR-1369: Windows_Roaming_Credential_Used: A change in the LDAP attributes msPKIAccountCredentials and msPKIRoamingTimestamp is detected. This indicates an exploitation of a Windows Credential Roaming vulnerability, which allows writing to any file on behalf of the victim user. mitre_attck_privilege_escalation: PT-CR-2656: Changing_UAC_Flags: The userAccountControl critical attributes of a user or host are changed microsoft_mecm: PT-CR-1877: MECM_Create_New_Roles: Creating a new role in MECM microsoft_mecm: PT-CR-1875: MECM_Privileges_Escalation_Via_Role: Privilege escalation for a user in MECM microsoft_mecm: PT-CR-1874: MECM_Not_Allowed_Operation_With_Roles: Attempt to escalate privileges using roles in MECM mitre_attck_impact: PT-CR-496: Remove_Account_From_Sensitive_Group: Detection of attempts to remove an account from a group that is significant for IS (table list Significant_Windows_Groups) mysql_database: PT-CR-624: MySQL_Permissions_Operation: Attempt to change account permissions mysql_database: PT-CR-625: MySQL_User_Operation: Attempt to change or delete a user account unix_mitre_attck_persistence: PT-CR-1673: Unix_Suspicious_Etc_Modify: System files were changed microsoft_sharepoint: PT-CR-2109: Sharepoint_Grant_Critical_Role: A user is assigned a critical role for SharePoint microsoft_sharepoint: PT-CR-2115: Sharepoint_Grant_User_Access: A user is granted login access to the SharePoint server zabbix: PT-CR-2048: Zabbix_User_Multiple_Unlock: Batch account unlocking in Zabbix. This can be an attacker's attempt to escalate privileges. zabbix: PT-CR-2050: Zabbix_Critical_Group_Manipulate: A user performed an action with a critical group in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2052: Zabbix_Critical_Role_Manipulate: A user performed an action with a critical role in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2054: Zabbix_User_Multiple_Password_Change: A user changed a password in Zabbix multiple times. This could be an attacker's attempt to gain persistence. zabbix: PT-CR-2051: Zabbix_Critical_User_Manipulate: A user changed a critical user account in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. freeipa: PT-CR-1958: FreeIPA_Multiple_User_Password_Change: Multiple user password changes freeipa: PT-CR-1957: FreeIPA_User_Manipulate_With_Critical_User: A critical user account was modified sap_java_suspicious_user_activity: PT-CR-543: SAPASJAVA_User_Password_Changed: An account password is changed multiple times sap_java_suspicious_user_activity: PT-CR-534: SAPASJAVA_Assign_User_To_Admin_Group: A user is added to an administrators group sap_java_suspicious_user_activity: PT-CR-541: SAPASJAVA_Password_Changed_For_SAP_Standard_Users_And_Logon: The password of a default user was changed, then a user logged in under this account sap_java_suspicious_user_activity: PT-CR-535: SAPASJAVA_Authorization_Assignment_By_Non_Admin_User: A user is added to a group by a non-administrator user web_servers_abnormal_activity: PT-CR-1976: Web_Servers_Abnormal_Activity_Modify_User_Privileges: An attacker can edit user profiles to change user privileges drweb: PT-CR-2069: DrWeb_Admin_Account_Modify: An administrator account action is performed. Administrator account actions can save or extend access to systems and lead to security policy bypass network_devices_compromise: PT-CR-2284: ViPNet_Policy_Manager_User_Privileges_Modify: User privileges were changed mitre_attck_persistence: PT-CR-1945: Machine_Account_Attribute_Manipulation: A machine account attribute was changed mitre_attck_persistence: PT-CR-432: Critical_Domain_Group_User_Add: A user is added to a privileged domain group mitre_attck_persistence: PT-CR-1862: Add_User_To_Group: Attempt to add a user to a group mitre_attck_persistence: PT-CR-1348: RID_Hijacking_Persistence: Persistence by hijacking an account recipient ID mitre_attck_persistence: PT-CR-2499: KRBTGT_Delegation: Resource-based constrained delegation was configured for the krbtgt account. This can be used by attackers to generate TGTs and gain persistence in the system. sap_suspicious_user_activity: PT-CR-230: SAPASABAP_Assigning_Yourself_Privileges: A user assigned himself privileges in the system sap_suspicious_user_activity: PT-CR-232: SAPASABAP_Critical_Action_By_Non_Admin_User: A non admin user performed a critical action in the system clickhouse: PT-CR-1566: ClickHouse_Grant_All_Roles: An attempt to change user rights or role is detected apache_cassandra_database: PT-CR-2087: Apache_Cassandra_Grant_All_Permissions: Attempt to grant all permissions to a role. This may indicate an attacker trying to hide their activity using a privileged account. microsoft_exchange: PT-CR-2360: Exchange_Critical_Group_Manipulate: A user changed or deleted a critical group in Exchange. This could be an attacker's attempt to escalate privileges or disrupt system availability. microsoft_exchange: PT-CR-2411: Exchange_Illegal_Distribution_Group_Modify: Change of Active Directory groups with the option to automatically add users microsoft_exchange: PT-CR-2356: Exchange_Role_Assignment_Policy_Actions: A user created or changed a management role assignment policy in Exchange. This could be an attacker's attempt to escalate privileges. microsoft_exchange: PT-CR-2355: Exchange_Admin_Role_Actions: A user performed an action with a management role in Exchange. This may indicate an attacker's attempt to escalate privileges or disrupt availability of system resources. microsoft_exchange: PT-CR-2434: Exchange_Distribution_Group_Member_Added: Attempt to add a user to a distribution group vmware_aria: PT-CR-2380: Aria_Operations_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations vmware_aria: PT-CR-2381: AOFL_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations for Logs vmware_aria: PT-CR-2368: Aria_Operations_Change_Admin_Password_Via_CLI: Changing the administrator password in Aria Operations from the command line without the old password can indicate an attacker attempting to block access to the owner and/or access the Aria Operations data active_directory_attacks: PT-CR-653: AdminSDHolder_Modification_Attack: Adding a value to the properties of the AdminSDHolder container that updates the permissions of protected objects with a certain period of time. This allows an attacker to gain privileged access and gain a foothold in the infrastructure active_directory_attacks: PT-CR-831: Computer_Delegation_Configured: One of the types of delegation is configured in the domain: unlimited delegation, limited delegation, limited resource-based delegation. An attacker can use this setting to obtain users TGT or TGS tickets. After that, an attacker can elevate privileges and horizontally move to other infrastructure nodes active_directory_attacks: PT-CR-1342: Subrule_PowerView_Objects_Actions: Remote change of domain objects (domain users and groups, machine accounts) using the PowerView tool (PowerViewPy) is detected active_directory_attacks: PT-CR-1984: Machine_Account_Quota_Changes: The LDAP attribute MS-DS-Machine-Account-Quota (the number of computer accounts that a user is allowed to create in a domain) was changed. This may indicate the creation a new computer account. active_directory_attacks: PT-CR-654: SAM_Account_Name_Spoofing: The user renamed the AD object or requested a TGT ticket on behalf of an account that matches the name of the domain controller. This may indicate a sAMAccountName spoofing attack. It can allow an attacker to obtain a TGT ticket, for example, in the name of a domain controller, gain a foothold in the system and increase their privileges active_directory_attacks: PT-CR-1343: PowerViewPy_RBCD_Attack: Limited resource-based delegation is configured in the domain. An attacker can use this setting to obtain the TGS ticket of the attacked account for administrator access to the server intended for the operation of the service. After that, an attacker can elevate privileges and perform a horizontal move to other infrastructure nodes active_directory_attacks: PT-CR-1344: Remote_Actions_With_Domain_Objects: A PowerView script was used. Attackers use the PowerView tool for reconnaissance in Windows domains. active_directory_attacks: PT-CR-2298: Zerologon_Attack: Exploitation of vulnerability CVE-2020-1472 (Zerologon) that allows you to change passwords to domain controller accounts hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions. hacking_tools: PT-CR-1947: Powermad_Usage: Powermad is used to exploit AD account attributes security_code_secret_net_lsp: PT-CR-1895: SecretNet_LSP_Manipulate_User_With_Critical_Roles: Critical account change security_code_secret_net_lsp: PT-CR-1890: SecretNet_LSP_User_Elevating: User privilege escalation security_code_secret_net_lsp: PT-CR-1887: SecretNet_LSP_Multiple_User_Password_Change: Multiple password changes for the same account postgresql_database: PT-CR-2334: PostgreSQL_Assignment_Sensitive_Privilege: Assigning sensitive privileges may result in escalation of root privileges