FGint FGIntDestroy | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use FGint FGIntDestroy to clean up malicious artifacts and evade detection by removing traces of their activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential post-compromise activities that could lead to persistence or data exfiltration.

YARA Rule

rule FGint_FGIntDestroy
{	meta:
		author = "_pusher_"
		date = "2015-05"
		description = "FGint FGIntDestroy"
	strings:
		$c0 = { 53 8B D8 8D 43 04 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B C3 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled system cleanup using Windows Task Scheduler
Filter/Exclusion: process.parent_process != "schtasks.exe" or process.name != "cleanmgr.exe"
Scenario: Microsoft Endpoint Configuration Manager (MECM) performing a software inventory scan
Filter/Exclusion: process.name != "CCMExec.exe" or process.parent_process != "msiexec.exe"
Scenario: Windows Update Agent running a background update check
Filter/Exclusion: process.name != "wuauclt.exe" or process.parent_process != "svchost.exe"
Scenario: Docker running a container cleanup or image pruning task
Filter/Exclusion: process.name != "docker.exe" or process.parent_process != "dockerd.exe"
Scenario: Ansible executing a playbook for system maintenance
Filter/Exclusion: process.name != "ansible.exe" or process.parent_process != "powershell.exe"