Potentially Suspicious GoogleUpdate Child Process
Detects potentially suspicious child processes of "GoogleUpdate.exe"
Sigma rule (View on GitHub)
1title: Potentially Suspicious GoogleUpdate Child Process
2id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2
3related:
4 - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
5 type: derived
6status: test
7description: Detects potentially suspicious child processes of "GoogleUpdate.exe"
8references:
9 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-05-15
12modified: 2023-05-22
13tags:
14 - attack.defense-evasion
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\GoogleUpdate.exe'
21 filter_main_known_legit:
22 # Some other legit child process might exist. It's better to make a baseline before running this in production
23 - Image|contains: '\Google' # Example: GoogleUpdate.exe, GoogleCrashHandler.exe, GoogleUpdateComRegisterShell64.exe
24 - Image|endswith:
25 - '\setup.exe'
26 - 'chrome_updater.exe'
27 - 'chrome_installer.exe'
28 filter_main_image_null:
29 Image: null
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unknown
33level: high
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity