Goofy Guineapig Backdoor Service Creation

Detects service creation persistence used by the Goofy Guineapig backdoor

Sigma rule (View on GitHub)

 1title: Goofy Guineapig Backdoor Service Creation
 2id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
 3status: test
 4description: Detects service creation persistence used by the Goofy Guineapig backdoor
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-15
 9tags:
10    - attack.persistence
11    - detection.emerging-threats
12logsource:
13    product: windows
14    service: system
15detection:
16    selection:
17        Provider_Name: 'Service Control Manager'
18        EventID: 7045
19        ServiceName: 'GoogleUpdate'
20        ImagePath|contains|all:
21            - 'rundll32'
22            - 'FileProtocolHandler'
23            - '\ProgramData\GoogleUpdate\GoogleUpdate.exe'
24    condition: selection
25falsepositives:
26    - Unlikely
27level: critical

References

Related rules

to-top