What Detections Does PTA Report?

PTA reports multiple suspicious activities and indicators of compromise.

Detection / Event Name Event Description Required Sensor Event Type ID

Suspected credentials theft

Detected when a user connects to a machine or a cloud service without first retrieving the required credentials from the Vault.

  • Logs
  • Vault
  • AWS (optional)
  • Azure (optional)

21

Unmanaged privileged account

Detected when:

  • A connection to a machine or a cloud service is made with a privileged account that is not stored in the Vault

or

  • An account that is not stored in the Vault was added to a Windows local privileged group.
  • Logs
  • Vault
  • AD (optional)
  • AWS (optional)
  • Azure (optional)

22

Privileged access to the Vault during irregular hours

Detected when a user retrieves a privileged account password at an irregular hour for that user.

Vault

23

Excessive access to privileged accounts in the Vault

Detected when a user retrieves privileged accounts more frequently than normal for that user.

Vault

24

Privileged access to the Vault from irregular IP

Detected when a user accesses the Vault from an unusual IP address or subnet.

Vault

25

Active dormant Vault user

Detected when PTA detects indications of activity from a Vault dormant user.

Vault

26

Anomalous access to multiple machines

Detected when an account logged onto a high number of machines during a relatively short time.

  • Network Sensor
  • PTA Windows Agent

30

PAC attack

Detected when PTA detects indications of a PAC (Privilege Account Certificate) attack in the network.

  • Network Sensor
  • PTA Windows Agent

31

OverPass the Hash attack

Detected when PTA detects indications of an Overpass the Hash attack in the network.

  • Network Sensor
  • PTA Windows Agent

32

Golden Ticket attack

Detected when PTA detects indications of a Golden Ticket attack in the network.

  • Network Sensor
  • PTA Windows Agent

33

Suspected LSASS credentials harvesting

Detected or blocked when EPM suspects LSASS credentials harvesting occurred on a specific endpoint.

EPM

34

Suspected SAM hash harvesting

Detected or blocked when EPM suspects SAM hash harvesting occurred on a specific endpoint.

EPM

35

Malicious retrieval of domain accounts

Detected when there is a potentially malicious retrieval of credentials from the domain controller (DCSync).

  • Network Sensor
  • PTA Windows Agent

36

Exposed credentials

Detected when services connecting with LDAP expose accounts credentials in clear text.

  • Network Sensor
  • PTA Windows Agent

37

Unconstrained delegation

Accounts with unconstrained delegation are accounts that are granted permissive delegation privileges and thereby expose the domain to a high risk.

AD

38

Suspicious activities detected in a privileged session

Detected when PTA identifies a privileged session with activities (commands and Vault anomalies) defined as suspicious.

Vault

39

Suspected credentials theft from Chrome

Detected or blocked when EPM suspects credentials theft from Chrome occurred on a specific endpoint.

EPM

40

Suspected credentials theft from Firefox

Detected or blocked when EPM suspects credentials theft from Firefox occurred on a specific endpoint.

EPM

41

Suspected credentials theft from VNC

Detected or blocked when EPM suspects credentials theft from VNC occurred on a specific endpoint.

EPM

43

Suspected credentials theft from WinSCP

Detected or blocked when EPM suspects credentials theft from WinSCP occurred on a specific endpoint.

EPM

44

Suspected credentials theft from service account

Detected or blocked when EPM suspects credentials theft from a service account occurred on a specific endpoint.

EPM

46

Suspected domain credentials theft from local cache

Detected or blocked when EPM suspects domain credentials theft from the local cache occurred on a specific endpoint.

EPM

47

Suspicious request to boot in safe mode

Detected or blocked by EPM when a request to boot a machine in safe mode occurred.

EPM

49

Suspected credentials theft from mRemoteNG

Detected or blocked when EPM suspects credentials theft from mRemoteNG occurred on a specific endpoint.

EPM

50

Suspected credentials theft from CheckPoint Endpoint Security VPN

Detected or blocked when EPM suspects credentials theft from CheckPoint Endpoint Security VPN occurred on a specific endpoint.

EPM

51

Service account logged on interactively

Detected when PTA identifies an interactive logon with a service account.

  • Logs
  • Vault (optional)
  • AD (optional)

52

Risky SPN Privileged accounts with SPN (service principal name) configuration can be vulnerable to offline brute-forcing and dictionary attacks, allowing a malicious insider to recover the account's clear-text password. AD 53
Privileged access to the Vault during irregular days

Detected when a user retrieves a privileged account password on an irregular day for that user.

Vault

54

Suspicious password change

Detected when PTA identifies a request to change or reset a password by bypassing the Password Manager.

  • Logs
  • Vault

55