Sigma Rules
351 rules found for "initial-access"
Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file
Suspicious Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Mstsc.EXE Execution From Uncommon Parent
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Password Provided In Command Line Of Net.EXE
Detects a when net.exe is called with a password in the command line
Suspicious Microsoft OneNote Child Process
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
LSA PPL Protection Disabled Via Reg.EXE
Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
Remote Access Tool - ScreenConnect Installation Execution
Detects ScreenConnect program starts that establish a remote access to a system.
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
Remote Access Tool - Team Viewer Session Started On Windows Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Phishing Pattern ISO in Archive
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.
Terminal Service Process Spawn
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
Windows Registry Trust Record Modification
Alerts on trust record modification within the registry, indicating usage of macros
Running Chrome VPN Extensions via the Registry 2 VPN Extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
CVE-2010-5278 Exploitation Attempt
MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Droppers Exploiting CVE-2017-11882
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Exploit for CVE-2017-8759
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
Fortinet CVE-2018-13379 Exploitation
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
Confluence Exploitation CVE-2019-3398
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-10148 SolarWinds Orion API Auth Bypass
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
Arcadyan Router Exploitations
Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978