Sigma Rules
351 rules found for "initial-access"
Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Django Framework Exceptions
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
Github New Secret Created
Detects when a user creates action secret for the organization, environment, codespaces or repository.
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Github SSH Certificate Configuration Changed
Detects when changes are made to the SSH certificate configuration of the organization.
Potential JNDI Injection Exploitation In JVM Based Application
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
Potential Local File Read Vulnerability In JVM Based Application
Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
Potential OGNL Injection Exploitation In JVM Based Application
Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
Process Execution Error In JVM Based Application
Detects process execution related exceptions in JVM based apps, often relates to RCE
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Potential RCE Exploitation Attempt In NodeJS
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
OpenCanary - FTP Login Attempt
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
OpenCanary - HTTPPROXY Login Attempt
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
OpenCanary - HTTP GET Request
Detects instances where an HTTP service on an OpenCanary node has received a GET request.
OpenCanary - HTTP POST Login Attempt
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
OpenCanary - RDP New Connection Attempt
Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
Python SQL Exceptions
Generic rule for SQL exceptions in Python according to PEP 249
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
Suspicious SQL Error Messages
Detects SQL error messages that indicate probing for an injection attack
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
RDS Database Security Group Modification
Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
Potential Malicious Usage of CloudTrail System Manager
Detect when System Manager successfully executes commands against an instance.
AWS SAML Provider Deletion Activity
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
New AWS Lambda Function URL Configuration Created
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
AWS Root Credentials
Detects AWS root account usage
AWS Suspicious SAML Activity
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
Azure Kubernetes Admission Controller
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Bitlocker Key Retrieval
Monitor and alert for Bitlocker key retrieval.
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters