MaxPatrol SIEM knowledge base

netflow: PT-CR-2920: Netflow_SMB_Anomaly: Suspicious SMB traffic from a host that is not a domain controller, router, or switch. Attackers can use SMB to further penetrate the network and gain access to sensitive data. pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts. hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_To_Samr_Srvsvc: A connection to samr and srvsvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of one of the SharpHound (BloodHound) information collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly mitre_attck_discovery: PT-CR-922: Multiple_Shares_Enum_On_Single_Host: Multiple attempts to access shared resources in a short period of time on behalf of one account from one IP address are detected mitre_attck_discovery: PT-CR-323: Network_Share_Discovery: An attempt to retrieve a list of network shares is detected mitre_attck_discovery: PT-CR-2753: NullSession_System_Discovery: Remote connection to the SAMR and LSARPC named pipes from the same host on behalf of an anonymous account. This may indicate the collection of information about the target system without using credentials (Null Session). mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-1085: Shares_Discovery: Domain file shares are searched active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. saltstack: PT-CR-2324: SaltStack_Run_List_Master_Command: Salt command cp.list_master was executed microsoft_exchange: PT-CR-2764: Exchange_ActiveSync_Discovery_SMB: Obtaining a list of published directories by remotely connecting to the SRVSVC named pipe and then polling the received directories via SMB from the Exchange mail server on behalf of a personalized account