Account enumeration reconnaissance |
ALERT_EXTERNAL_AATP_ACCOUNT_ENUMERATION_SECURITY_ALERT |
Active Directory attributes reconnaissance (LDAP) |
ALERT_EXTERNAL_AATP_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT |
Data exfiltration over SMB |
ALERT_EXTERNAL_AATP_SMB_DATA_EXFILTRATION_SECURITY_ALERT |
Honeytoken activity |
ALERT_EXTERNAL_AATP_HONEYTOKEN_ACTIVITY_SECURITY_ALERT |
Malicious request of Data Protection API master key |
ALERT_EXTERNAL_AATP_RETRIEVE_DATA_PROTECTION_BACKUP_KEY_SECURITY_ALERT |
Network mapping reconnaissance (DNS) |
ALERT_EXTERNAL_AATP_DNS_RECONNAISSANCE_SECURITY_ALERT |
Remote code execution attempt |
ALERT_EXTERNAL_AATP_REMOTE_EXECUTION_SECURITY_ALERT |
Remote code execution over DNS |
ALERT_EXTERNAL_AATP_DNS_REMOTE_CODE_EXECUTION_SECURITY_ALERT |
Security principal reconnaissance (LDAP) |
ALERT_EXTERNAL_AATP_LDAP_SEARCH_RECONNAISSANCE_SECURITY_ALERT |
Suspected Brute Force attack (Kerberos, NTLM) |
ALERT_EXTERNAL_AATP_BRUTE_FORCE_SECURITY_ALERT |
Suspected Brute Force attack (LDAP) |
ALERT_EXTERNAL_AATP_LDAP_BRUTE_FORCE_SECURITY_ALERT |
Suspected Brute Force attack (SMB) |
ALERT_EXTERNAL_AATP_ABNORMAL_SMB_BRUTE_FORCE_SECURITY_ALERT |
Suspected DCShadow attack (domain controller promotion) |
ALERT_EXTERNAL_AATP_DIRECTORY_SERVICES_ROGUE_PROMOTION_SECURITY_ALERT |
Suspected DCShadow attack (domain controller replication request) |
ALERT_EXTERNAL_AATP_DIRECTORY_SERVICES_ROGUE_REPLICATION_SECURITY_ALERT |
Suspected DCSync attack (replication of directory services) |
ALERT_EXTERNAL_AATP_DIRECTORY_SERVICES_REPLICATION_SECURITY_ALERT |
Suspected Golden Ticket usage (encryption downgrade) |
ALERT_EXTERNAL_AATP_GOLDEN_TICKET_ENCRYPTION_DOWNGRADE_SECURITY_ALERT |
Suspected Golden Ticket usage (forged authorization data) |
ALERT_EXTERNAL_AATP_FORGED_PAC_SECURITY_ALERT |
Suspected Golden Ticket usage (nonexistent account) |
ALERT_EXTERNAL_AATP_FORGED_PRINCIPAL_SECURITY_ALERT |
Suspected Golden Ticket usage (ticket anomaly) |
ALERT_EXTERNAL_AATP_GOLDEN_TICKET_SIZE_ANOMALY_SECURITY_ALERT |
Suspected Golden Ticket usage (ticket anomaly using RBCD) |
ALERT_EXTERNAL_AATP_RESOURCE_BASED_CONSTRAINED_DELEGATION_GOLDEN_TICKET_SECURITY_ALERT |
Suspected Golden Ticket usage (time anomaly) |
ALERT_EXTERNAL_AATP_GOLDEN_TICKET_SECURITY_ALERT |
Suspected identity theft (pass-the-hash) |
ALERT_EXTERNAL_AATP_PASS_THE_HASH_SECURITY_ALERT |
Suspected identity theft (pass-the-ticket) |
ALERT_EXTERNAL_AATP_PASS_THE_TICKET_SECURITY_ALERT |
Suspected Kerberos SPN exposure (external ID 2410) |
ALERT_EXTERNAL_AATP_KERBEROASTING_SECURITY_ALERT |
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) |
ALERT_EXTERNAL_AATP_NETLOGON_BYPASS_SECURITY_ALERT |
Suspected NTLM authentication tampering |
ALERT_EXTERNAL_AATP_ABNORMAL_NTLM_SIGNING_SECURITY_ALERT |
Suspected NTLM relay attack |
ALERT_EXTERNAL_AATP_NTLM_RELAY_SECURITY_ALERT |
Suspected overpass-the-hash attack (Kerberos) |
ALERT_EXTERNAL_AATP_ABNORMAL_KERBEROS_OVERPASS_THE_HASH_SECURITY_ALERT |
Suspected rogue Kerberos certificate usage |
ALERT_EXTERNAL_AATP_ROGUE_CERTIFICATE_USAGE_SECURITY_ALERT |
Suspected Skeleton Key attack (encryption downgrade) |
ALERT_EXTERNAL_AATP_SKELETON_KEY_ENCRYPTION_DOWNGRADE_SECURITY_ALERT |
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) - (preview) |
ALERT_EXTERNAL_AATP_SMB_GHOST_SECURITY_ALERT |
Suspected use of Metasploit hacking framework |
ALERT_EXTERNAL_AATP_ABNORMAL_SMB_METASPLOIT_SECURITY_ALERT |
Suspected WannaCry ransomware attack |
ALERT_EXTERNAL_AATP_ABNORMAL_SMB_WANNA_CRY_SECURITY_ALERT |
Suspicious additions to sensitive groups |
ALERT_EXTERNAL_AATP_ABNORMAL_SENSITIVE_GROUP_MEMBERSHIP_CHANGE_SECURITY_ALERT |
Suspicious communication over DNS |
ALERT_EXTERNAL_AATP_DNS_SUSPICIOUS_COMMUNICATION_SECURITY_ALERT |
Suspicious service creation |
ALERT_EXTERNAL_AATP_MALICIOUS_SERVICE_CREATION_SECURITY_ALERT |
Suspicious VPN connection |
ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT |
User and Group membership reconnaissance (SAMR) |
ALERT_EXTERNAL_AATP_SAMR_RECONNAISSANCE_SECURITY_ALERT |
User and IP address reconnaissance (SMB) |
ALERT_EXTERNAL_AATP_ENUMERATE_SESSIONS_SECURITY_ALERT |