Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

8 rules found for "FPT.EagleEye"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

WindowsProcess Creation
TA0005 · Defense EvasionTA0003 · PersistenceT1197 · BITS JobsS0190 · S0190+3
Michael Haag+1Thu Mar 09windows
Detectionhightest

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

WindowsProcess Creation
T1505.003 · Web ShellT1190 · Exploit Public-Facing ApplicationTA0001 · Initial AccessTA0003 · Persistence+1
FPT.EagleEye Team+1Fri Dec 11windows
Detectionhightest

Suspicious Outlook Child Process

Detects a suspicious process spawning from an Outlook process.

WindowsProcess Creation
TA0002 · ExecutionT1204.002 · Malicious File
Michael Haag+4Mon Feb 28windows
Detectionhightest

Suspicious Microsoft Office Child Process

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1047 · Windows Management InstrumentationT1204.002 · Malicious File+1
Florian Roth (Nextron Systems)+7Fri Apr 06windows
Detectionhighstable

Potential Powershell ReverseShell Connection

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShell
FPT.EagleEye+2Wed Mar 03windows
Detectionhightest

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellTA0009 · CollectionT1114 · Email Collection
FPT.EagleEye+1Wed Mar 03windows
Detectionhightest

PUA - AdFind Suspicious Execution

Detects AdFind execution with common flags seen used during attacks

WindowsProcess Creation
TA0007 · DiscoveryT1018 · Remote System DiscoveryT1087.002 · Domain AccountT1482 · Domain Trust Discovery+2
Janantha Marasinghe+3Tue Feb 02windows
Detectionhightest

Proxy Execution Via Wuauclt.EXE

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy ExecutionTA0002 · Execution
Roberto Rodriguez (Cyb3rWard0g)+4Mon Oct 12windows