Adversaries may be using FGint FGIntModExp to exploit weak cryptographic practices and extract sensitive data from systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or credential compromise attempts early.
YARA Rule
rule FGint_FGIntModExp
{ meta:
author = "_pusher_"
date = "2015-05"
description = "FGint FGIntModExp"
strings:
$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D ?? 8B F1 89 55 ?? 8B D8 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 46 04 8B 40 04 83 E0 01 83 F8 01 75 0F 57 8B CE 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? EB ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 F4 8B C3 E8 ?? ?? ?? ?? 8B 45 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using Windows Update or Group Policy Management Console (GPMC)
Filter/Exclusion: Check for EventID=1902 (Windows Update) or EventID=1000 (Group Policy processing) in the same timeframe. Exclude events where SourceName is “Microsoft Windows Update” or “Group Policy Client”.
Scenario: Regular backup jobs executed by Veeam Backup & Replication or Commvault
Filter/Exclusion: Filter events where ProcessName is VeeamBackup.exe or Commvault.exe, or where the CommandLine contains backup or snapshot.
Scenario: Logon and logoff events from legitimate user activity, such as remote desktop sessions or domain controller authentication
Filter/Exclusion: Exclude events where EventID=4624 (successful logon) or EventID=4634 (logoff), and where LogonType is 3 (Interactive) or 10 (Remote Interactive).
Scenario: Scheduled task execution via Task Scheduler for routine system checks or monitoring
Filter/Exclusion: Filter events where ProcessName is schtasks.exe or TaskScheduler and where the task name matches known legitimate tasks (e.g., DailySystemCheck, LogMonitor).
Scenario: Database maintenance tasks run by SQL Server Agent or Oracle DBMS_SCHEDULER
Filter/Exclusion: Exclude events where ProcessName is sqlservr.exe or oracle.exe, and where the task is associated with a known maintenance job (e.g., DBBackup, IndexRebuild).