Gootloader JavaScript Execution in AppData Folder (RedCanary Threat Detection Report)
Detects execution of JavaScript (.js) files located in the AppData folder. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Gootloader JavaScript Execution in AppData Folder (RedCanary Threat Detection Report)
2id: 5e284df6-3a2e-4ac1-8907-29fdc6b43757
3status: experimental
4description: Detects execution of JavaScript (.js) files located in the AppData folder. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/gootloader/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.defense_evasion
11 - attack.t1036
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\wscript.exe'
18 CommandLine|re: '(?i)appdata\\.*\.js'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
A common entry point for Cobalt Strike into enterprises, Gootloader made significant changes to its execution flow in 2022.
Read More
Related rules
- Potential Homoglyph Attack Using Lookalike Characters
- Windows Scripting Host Executing JScript Files with MS-DOS Short Names (RedCanary Threat Detection Report)
- Process Creation With Double File Extension
- Suspicious Command Line Containing Right-to-Left Override
- Bumblebee WmiPrvSE execution pattern