Gootloader Stage 2 Registry Key Creation

 1title: Gootloader Stage 2 Registry Key Creation
 2id: 10ad1627-1a0a-4323-b3da-3a9394b9535a
 3status: experimental
 4description: Detects potential stage 2 Gootloader registry key creation.
 5references:
 6    - https://redcanary.com/blog/gootloader/
 7    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 8    - https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/
 9author: Micah Babinski
10date: 2022/11/07
11tags:
12    - attack.execution
13    - attack.defense_evasion
14    - attack.t1620
15logsource:
16    category: registry_add
17    product: windows
18detection:
19    selection:
20        EventType: 'CreateKey'
21        TargetObject|contains: 
22            - 'SOFTWARE\Microsoft\Phone\'
23            - 'SOFTWARE\Microsoft\Personalization\'
24        TargetObject|endswith: '0'
25        Image|endswith: '\wscript.exe'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high```

References

• The Goot cause: Detecting Gootloader and its follow-on activity

  

  Gootloader is a pervasive threat affecting enterprise organizations. This blog includes malware analysis and detection opportunities.

  
  Read More

• SEO Poisoning – A Gootloader Story

  

  In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…

  
  Read More

• Analysis of a trojanized jQuery script: GootLoader unleashed

  

  Update 24/10/202: We have noticed 2 changes since we published this report 3 months ago. The code has been adapted to use registry key “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization” instead…

  
  Read More

Related rules

• Base64 Encoding in CMD or Powershell
• Command Shell Obfuscated Commands
• PowerShell Base64 Encoding
• Powershell Obfuscation and Escape Characters
• Abusing PowerShell to Disable Defender Components