Sigma Rules
8 rules found for "EagleEye Team"
Network Connection Initiated Via Notepad.EXE
Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.