MaxPatrol SIEM knowledge base

hacking_tools: PT-CR-2689: Covenant_Get_System: Privileges were escalated to SYSTEM using the "get_system" command after running a Covenant launcher and obtaining a reverse shell hacking_tools: PT-CR-2635: Cobalt_Strike_SpawnAs: Execution of the "SpawnAs" command using Cobalt Strike to spawn a new beacon on the current host as a different user whose credentials were provided hacking_tools: PT-CR-753: Cobalt_Strike_RunAs_Escalate: The "RunAs" command for privilege escalation was executed using Cobalt Strike software hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions. mitre_attck_privilege_escalation: PT-CR-1933: GodPotato_PrivEsc: Privilege escalation using the GodPotato technique allows an attacker with the ImpersonatePrivilege privilege to escalate their privileges to the System user. After this, the attacker can extract from the compromised node credentials for various services of local users, and in some cases, other users who accessed this node. Using this data will allow the attacker to move horizontally (Lateral Movement) to other infrastructure nodes. mitre_attck_privilege_escalation: PT-CR-1217: RasMan_Potato: Local escalation of privileges from a service account to SYSTEM using the RasmanPotato technique is detected mitre_attck_privilege_escalation: PT-CR-853: RoguePotato_PrivEsc: Privileges are escalated using the RoguePotato technique mitre_attck_privilege_escalation: PT-CR-2992: EfsPotato_PrivEsc: The EfsPotato technique was used. Using this technique, attackers who hijacked an account with the SeImpersonatePrivilege can escalate their privileges to SYSTEM by exploiting a vulnerability in the MS-EFSR encryption protocol. This protocol is available as an RPC interface via the following SMB named pipes: \pipe\efsrpc, \pipe\lsarpc, \pipe\samr, \pipe\lsass, and \pipe etlogon. mitre_attck_privilege_escalation: PT-CR-1212: PrintNotify_Potato: Privileges of a service account are escalated using the PrintNotifyPotato technique mitre_attck_privilege_escalation: PT-CR-2615: System_Process_By_Local_Or_Network_Service: A process was started using the "local service" or "network service" account on behalf of user System. This may indicate privilege escalation using the Access Token Manipulation technique. mitre_attck_privilege_escalation: PT-CR-848: Named_Pipe_Impersonation_PrivEsc: Privileges are escalated using the Named Pipe Impersonation technique mitre_attck_privilege_escalation: PT-CR-864: Token_Manipulation: A privilege escalation operation using tokens is detected vulnerabilities: PT-CR-829: Certified_Priv_Esc_CVE_2022_26923: The domain privileges were escalated using vulnerability CVE-2022-26923 in Active Directory Certificate Services vulnerabilities: PT-CR-2929: CVE_2024_30085_PrivEsc_CldFlt: Possible exploitation of vulnerability CVE-2024-30085 in Windows Cloud Files Mini Filter Driver. This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges. vulnerabilities: PT-CR-3038: CVE_2025_33073_SMB_Client_Elevation: Exploitation of the CVE-2025-33073 vulnerability in Windows NTLM authentication. This vulnerability allows an attacker to bypass existing credential reflection mitigations and remotely obtain a system token. The attacker registers a fake DNS record with a specific name pattern, makes it point to a controlled IP address, and coerces the target system to authenticate to this address. mitre_attck_cred_access: PT-CR-1363: Masky_Tool_Usage: The use of the Masky tool is detected. Masky tool is designed to obtain NT hashes and TGT of users working on attacked hosts in order to request certificates on their behalf. capabilities_suspicious_activity: PT-CR-3044: CAP_Base64_Encoded_DNS_Request: A request for DNS parameters for a resource contains Base64 encoding. Attackers can encode requests to disguise their activity.