Initial Access Detection Rules
The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
df00tech ships 36 production-ready detection rules mapped to the Initial Access tactic (TA0001). Each rule below includes copy-paste queries for Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), QRadar, Sumo Logic, Chronicle and LogScale, with data-source requirements, severity and false-positive guidance — free to use.
Initial Access detections (36)
- CVE-2024-3400 Palo Alto PAN-OS GlobalProtect Command Injection (Operation MidnightEclipse)
- CVE-2024-21413 Microsoft Outlook RCE via Moniker Link (MonikerLink)
- CVE-2024-21887 Ivanti Connect Secure Authenticated Command Injection (Chained with CVE-2023-46805)
- CVE-2024-23897 Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain)
- CVE-2024-30078 Windows Wi-Fi Driver Remote Code Execution via Adjacent Network
- CVE-2024-38112 Windows MSHTML Spoofing via .url File Phishing (Void Banshee)
- CVE-2024-43451 Windows NTLM Hash Disclosure via File Interaction (NTLMv2 Spoofing)
- CVE-2025-21298 Windows OLE Remote Code Execution via Malicious RTF Document
- CVE-2025-21589 Juniper Session Smart Router Authentication Bypass
- CVE-2025-24054 Windows NTLM Credential Leak via File Download Interaction
- CVE-2025-68670 xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence
- CVE-2026-1731 BeyondTrust Remote Support Pre-Auth Remote Code Execution
- T1078 Valid Accounts
- T1078.001 Default Accounts
- T1078.002 Domain Accounts
- T1078.003 Local Accounts
- T1078.004 Cloud Accounts
- T1091 Replication Through Removable Media
- T1133 External Remote Services
- T1189 Drive-by Compromise
- T1190 Exploit Public-Facing Application
- T1195 Supply Chain Compromise
- T1195.001 Compromise Software Dependencies and Development Tools
- T1195.002 Compromise Software Supply Chain
- T1195.003 Compromise Hardware Supply Chain
- T1199 Trusted Relationship
- T1200 Hardware Additions
- T1566 Phishing
- T1566.001 Spearphishing Attachment
- T1566.002 Spearphishing Link
- T1566.003 Spearphishing via Service
- T1566.004 Spearphishing Voice
- T1659 Content Injection
- T1669 Wi-Fi Networks
- THREAT-InitialAccess-PhishingMacro Phishing Document Macro Execution and Initial Access
- THREAT-VPN-CredentialStuffing VPN and Remote Access Credential Stuffing / Brute Force