Positive Technologies enhances protection for AD and Exchange.
The MaxPatrol SIEM cybersecurity event monitoring system has been updated with new threat detection rules. The update affected 18 expert content packages, enabling the detection of modern attack techniques targeting Microsoft Active Directory and Microsoft Exchange, as well as activity from hacker frameworks, malicious tactics aligned with the MITRE ATT&CK matrix, and network anomalies during remote work.Hackers continuously invent new methods of attack, refine known techniques, and seek alternatives to tools already covered by security detection systems. To ensure effective protection and timely incident prevention, specialists at Positive Technologies track trends and emerging cybercriminal tactics, constantly expanding the expert content of MaxPatrol SIEM.
As part of a major expertise update, a total of 60 new correlation and normalization rules were developed. These enable the system to detect, among other things:
- Modern network anomalies during remote work — including atypical VPN or RDG connections from outside Russia, suspicious activity on nodes originating from remote administration software, and the creation of files through such software that attackers may send to a target system to advance their attacks.
- Additional indicators of previously known hacker tools like Cobalt Strike and Covenant, which continue to be used for post-exploitation and hiding unauthorized activity on endpoints.
- The latest attack scenarios on Microsoft Active Directory — the updated expertise package allows MaxPatrol SIEM to alert operators to certificate requests for target accounts via NTLM relay attacks, issuing TGT tickets under another user’s identity by abusing certificate mapping, and other certificate-based threats.
- New attack methods targeting Microsoft Exchange — among the detected events are the downloading of a user's mailbox contents via Microsoft ActiveSync (when credentials are already compromised) and the retrieval of Microsoft Exchange published directories, followed by attempts to connect to each via the SMB protocol.
“Hackers remain very interested in Microsoft's certification services. In recent months, attacks on Active Directory have become more widespread and remain among the most dangerous threats to companies.”
He emphasized that the certification service plays a critical role in domain infrastructure, yet it contains many vulnerabilities — which are exploited both before and after patches are released if updates are not installed in time. According to him, a successful attack often allows attackers to gain maximum privileges in a short period.
The revised expert package, which originally served as the foundation for MaxPatrol SIEM’s detection capabilities, has been significantly overhauled. It now integrates both legacy and new rules, and a dedicated set has been created specifically for attacks on Active Directory’s certification service.
Additionally, existing expert packages have been updated to enhance detection of techniques from the MITRE ATT&CK matrix, especially within the tactics of Credential Access, Discovery, Privilege Escalation, Persistence, and others.
