Potential Goofy Guineapig Backdoor Activity
Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
Sigma rule (View on GitHub)
1title: Potential Goofy Guineapig Backdoor Activity
2id: 477a5ed3-a374-4282-9f3b-ed94e159a108
3status: test
4description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: X__Junior (Nextron Systems)
8date: 2023/05/14
9tags:
10 - attack.execution
11 - detection.emerging_threats
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains: 'choice /t %d /d y /n >nul'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
Related rules
- Goofy Guineapig Backdoor IOC
- Potential APT Mustang Panda Activity Against Australian Gov
- Potential Qakbot Rundll32 Execution
- Qakbot Rundll32 Exports Execution
- Qakbot Rundll32 Fake DLL Extension Execution