The FGint ECAddPoints rule detects potential adversary behavior involving the manipulation of endpoint credentials or privilege escalation through suspicious process execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage lateral movement or persistence tactics that may go undetected by traditional monitoring.
YARA Rule
rule FGint_ECAddPoints
{ meta:
author = "_pusher_"
date = "2015-06"
description = "FGint ECAddPoints"
version = "0.1"
strings:
$c0 = { 55 8B EC 83 C4 A8 53 56 57 8B 75 0C 8D 7D F0 A5 A5 8B F1 8D 7D F8 A5 A5 8B F2 8D 7D A8 A5 A5 A5 A5 A5 8B F0 8D 7D BC A5 A5 A5 A5 A5 8B 5D 08 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using Microsoft Update or WSUS
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "wuaucpl.msc"
Scenario: Automated backup jobs using Veeam Backup & Replication or Commvault
Filter/Exclusion: process.name != "vmbackup.exe" or process.name != "cvbackup.exe"
Scenario: User-initiated file system operations such as disk cleanup or defragmentation via Disk Cleanup Tool or Defraggler
Filter/Exclusion: process.name != "cleanmgr.exe" or process.name != "defraggler.exe"
Scenario: Admin task for Windows Event Log management using Event Viewer or LogParser
Filter/Exclusion: process.name != "eventvwr.exe" or process.name != "logparser.exe"
Scenario: Regular PowerShell scripting for system monitoring or reporting (e.g., using PowerShell ISE or PowerShell Core)
Filter/Exclusion: process.name != "powershell.exe" or process.name != "pwsh.exe"