Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
Sigma rule (View on GitHub)
1title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
2id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
3status: test
4description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-15
9tags:
10 - attack.defense-evasion
11 - detection.emerging-threats
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\GoogleUpdate.exe'
18 Image|endswith: '\GoogleUpdate.exe'
19 filter_main_legit_paths:
20 - Image|startswith:
21 - 'C:\Program Files\Google\'
22 - 'C:\Program Files (x86)\Google\'
23 - Image|contains: '\AppData\Local\Google\Update\'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- COLDSTEEL Persistence Service Creation