Goofy Guineapig Backdoor Service Creation
Detects service creation persistence used by the Goofy Guineapig backdoor
Sigma rule (View on GitHub)
1title: Goofy Guineapig Backdoor Service Creation
2id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
3status: test
4description: Detects service creation persistence used by the Goofy Guineapig backdoor
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-15
9tags:
10 - attack.persistence
11 - detection.emerging-threats
12logsource:
13 product: windows
14 service: system
15detection:
16 selection:
17 Provider_Name: 'Service Control Manager'
18 EventID: 7045
19 ServiceName: 'GoogleUpdate'
20 ImagePath|contains|all:
21 - 'rundll32'
22 - 'FileProtocolHandler'
23 - '\ProgramData\GoogleUpdate\GoogleUpdate.exe'
24 condition: selection
25falsepositives:
26 - Unlikely
27level: critical
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...
Read More
Related rules
- COLDSTEEL Persistence Service Creation
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit