MaxPatrol SIEM knowledge base

pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software mitre_attck_discovery: PT-CR-323: Network_Share_Discovery: An attempt to retrieve a list of network shares is detected mitre_attck_discovery: PT-CR-922: Multiple_Shares_Enum_On_Single_Host: Multiple attempts to access shared resources in a short period of time on behalf of one account from one IP address are detected mitre_attck_discovery: PT-CR-1085: Shares_Discovery: Domain file shares are searched mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. saltstack: PT-CR-2324: SaltStack_Run_List_Master_Command: Salt command cp.list_master was executed hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_To_Samr_Srvsvc: A connection to samr and srvsvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of one of the SharpHound (BloodHound) information collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts. hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.