Potential Goofy Guineapig Backdoor Activity

calendar Aug 12, 2024 · attack.execution detection.emerging-threats  ·
Share on: linkedin copy

Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.

Sigma rule (View on GitHub)

 1title: Potential Goofy Guineapig Backdoor Activity
 2id: 477a5ed3-a374-4282-9f3b-ed94e159a108
 3status: test
 4description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
 7author: X__Junior (Nextron Systems)
 8date: 2023-05-14
 9tags:
10    - attack.execution
11    - detection.emerging-threats
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine|contains: 'choice /t %d /d y /n >nul'
18    condition: selection
19falsepositives:
20    - Unlikely
21level: high

References

  • %PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...


    Read More

Related rules

to-top