What Detections Does PTA Report?

PTA reports the following suspicious activities and indicators of compromise.

Detection / Event Name Detected when

Required Sensor

(For details, see Forward Log Data to PTA)

Event Type ID

Suspected credentials theft

A user connects to a machine or a cloud service without first retrieving the required credentials from the Vault.

  • SIEM / Unix / AWS / Azure

  • Vault

21

Unmanaged privileged account

  • A connection to a machine or a cloud service is made with a privileged account that is not stored in the Vault

or

  • An account that is not stored in the Vault was added to a Windows local privileged group.

PTA detects local accounts added to a to group only if PTA receives a syslog on the account creation.

  • SIEM / Unix / AWS / Azure
  • Vault
  • AD (optional - for alerts on domain accounts)

22

Privileged access to the Vault during irregular hours

A user retrieves a privileged account password at an irregular hour for that user.

Vault

23

Excessive access to privileged accounts in the Vault

A user retrieves privileged accounts more frequently than normal for that user.

Vault

24

Privileged access to the Vault from irregular IP

A user accesses the Vault from an unusual IP address or subnet.

Vault

25

Active dormant Vault user

PTA identifies activity from a dormant user.

Vault

26

Anomalous access to multiple machines

An account logged on to a high number of machines during a relatively short time.

  • Network Sensor

    or

  • PTA Windows Agent

30

PAC attack

PTA detects indications of a PAC (Privilege Account Certificate) attack in the network exploiting Kerberos vulnerability MS14-068.

  • Network Sensor

    or

  • PTA Windows Agent

31

OverPass the Hash attack

PTA detects indications of an Overpass the Hash attack in the network.

PTA can detect Overpass the Hash attacks executed by:

  • Mimikatz tools

  • Rubeus

  • Network Sensor

    or

  • PTA Windows Agent

32

Golden Ticket attack

PTA detects indications of a Golden Ticket attack in the network.

  • Network Sensor

    or

  • PTA Windows Agent

33

Suspected LSASS credentials harvesting

EPM suspects LSASS credentials harvesting occurred on a specific endpoint.

EPM on-prem

34

Suspected SAM hash harvesting

EPM suspects SAM hash harvesting occurred on a specific endpoint.

EPM on-prem

35

Malicious retrieval of domain accounts

There is a potentially malicious retrieval of credentials from the domain controller (DCSync).

  • Network Sensor

    or

  • PTA Windows Agent

36

Exposed credentials

Services connecting with LDAP expose accounts credentials in clear text.

  • Network Sensor

    or

  • PTA Windows Agent

37

Unconstrained delegation

PTA identifies accounts with unconstrained delegation (accounts that are granted permissive delegation privileges) that expose the domain to a high risk.

AD

38

Suspicious activities detected in a privileged session

PTA identifies a privileged session with activities (commands and Vault anomalies) defined as suspicious.

Vault

39

Suspected credentials theft from Chrome

EPM suspects credentials theft from Chrome occurred on a specific endpoint.

EPM on-prem

40

Suspected credentials theft from Firefox

EPM suspects credentials theft from Firefox occurred on a specific endpoint.

EPM on-prem

41

Suspected credentials theft from VNC

EPM suspects credentials theft from VNC occurred on a specific endpoint.

EPM on-prem

43

Suspected credentials theft from WinSCP

EPM suspects credentials theft from WinSCP occurred on a specific endpoint.

EPM on-prem

44

Suspected credentials theft from service account

EPM suspects credentials theft from a service account occurred on a specific endpoint.

EPM on-prem

46

Suspected domain credentials theft from local cache

EPM suspects domain credentials theft from the local cache occurred on a specific endpoint.

EPM on-prem

47

Suspicious request to boot in safe mode

A request to boot a machine in safe mode occurs.

EPM on-prem

49

Suspected credentials theft from mRemoteNG

EPM suspects credentials theft from mRemoteNG occurred on a specific endpoint.

EPM on-prem

50

Suspected credentials theft from CheckPoint Endpoint Security VPN

EPM suspects credentials theft from CheckPoint Endpoint Security VPN occurred on a specific endpoint.

EPM on-prem

51

Service account logged on interactively

PTA identifies an interactive logon with a service account.

  • SIEM
  • Vault (optional)
  • AD (optional)

52

Risky SPN PTA identifies privileged accounts with SPN (service principal name) configuration that can be vulnerable to offline brute-forcing and dictionary attacks, allowing a malicious insider to recover the account's clear-text password. AD 53
Privileged access to the Vault during irregular days

A user retrieves a privileged account password on an irregular day for that user.

Vault

54

Suspicious password change

PTA identifies a request to change or reset a password by bypassing the Password Manager.

  • SIEM / Unix
  • Vault

55