Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

11 rules found for "FPT.EagleEye"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

WindowsProcess Creation
TA0005 · Defense EvasionTA0003 · PersistenceT1197 · BITS JobsS0190 · S0190+3
Michael Haag+1Thu Mar 09windows
Detectionhightest

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

WindowsProcess Creation
T1505.003 · Web ShellT1190 · Exploit Public-Facing ApplicationTA0001 · Initial AccessTA0003 · Persistence+1
FPT.EagleEye Team+1Fri Dec 11windows
Detectionhightest

Suspicious Outlook Child Process

Detects a suspicious process spawning from an Outlook process.

WindowsProcess Creation
TA0002 · ExecutionT1204.002 · Malicious File
Michael Haag+4Mon Feb 28windows
Detectionhightest

Suspicious Microsoft Office Child Process

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1047 · Windows Management InstrumentationT1204.002 · Malicious File+1
Florian Roth (Nextron Systems)+7Fri Apr 06windows
Detectionhighstable

Potential Powershell ReverseShell Connection

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShell
FPT.EagleEye+2Wed Mar 03windows
Detectionhightest

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellTA0009 · CollectionT1114 · Email Collection
FPT.EagleEye+1Wed Mar 03windows
Detectionhightest

PUA - AdFind Suspicious Execution

Detects AdFind execution with common flags seen used during attacks

WindowsProcess Creation
TA0007 · DiscoveryT1018 · Remote System DiscoveryT1087.002 · Domain AccountT1482 · Domain Trust Discovery+2
Janantha Marasinghe+3Tue Feb 02windows
Detectionhightest

Proxy Execution Via Wuauclt.EXE

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy ExecutionTA0002 · Execution
Roberto Rodriguez (Cyb3rWard0g)+4Mon Oct 12windows
Emerging Threatcriticaltest

Potential Emotet Rundll32 Execution

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
FPT.EagleEyeFri Dec 252020
Emerging Threatinformationaltest

Windows Spooler Service Suspicious Binary Load

Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+3
FPT.EagleEye+1Tue Jun 292021
Emerging Threathightest

SOURGUM Actor Behaviours

Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM

WindowsProcess Creation
T1546 · Event Triggered ExecutionT1546.015 · Component Object Model HijackingTA0003 · PersistenceTA0004 · Privilege Escalation+1
MSTIC+1Tue Jun 152021