Sigma Rules
351 rules found for "initial-access"
Users Authenticating To Other Azure AD Tenants
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
User Access Blocked by Azure Conditional Access
Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
Google Cloud Kubernetes Admission Controller
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Microsoft 365 - Impossible Travel Activity
Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
Logon from a Risky IP Address
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
Microsoft 365 - User Restricted from Sending Email
Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
Cisco Duo Successful MFA Authentication Via Bypass Code
Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
Remote Access Tool - Team Viewer Session Started On MacOS Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Suspicious Browser Child Process - MacOS
Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
Suspicious Execution via macOS Script Editor
Detects when the macOS Script Editor utility spawns an unusual child process.
User Added To Admin Group Via Sysadminctl
Detects attempts to create and add an account to the admin group via "sysadminctl"
Guest Account Enabled Via Sysadminctl
Detects attempts to enable the guest account using the sysadminctl utility
Cisco BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication Failures
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.
Huawei BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5
Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
Download From Suspicious TLD - Blacklist
Detects download of certain file types from hosts in suspicious TLDs
Download From Suspicious TLD - Whitelist
Detects executable downloads from suspicious remote systems
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
Suspicious External WebDAV Execution
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Successful IIS Shortname Fuzzing Scan
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
Java Payload Strings
Detects possible Java payloads in web access logs
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs