Potential Goofy Guineapig Backdoor Activity

Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.

Sigma rule (View on GitHub)

 1title: Potential Goofy Guineapig Backdoor Activity
 2id: 477a5ed3-a374-4282-9f3b-ed94e159a108
 3status: test
 4description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
 7author: X__Junior (Nextron Systems)
 8date: 2023-05-14
 9tags:
10    - attack.execution
11    - detection.emerging-threats
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine|contains: 'choice /t %d /d y /n >nul'
18    condition: selection
19falsepositives:
20    - Unlikely
21level: high

References

Related rules

to-top