Potentially Suspicious GoogleUpdate Child Process

Rule Info

Name
Potentially Suspicious GoogleUpdate Child Process
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects potentially suspicious child processes of "GoogleUpdate.exe"
Reference
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Date
2023-05-15 00:00:00
Modified
2023-05-22 00:00:00
Id
84b1ecf9-6eff-4004-bafb-bae5c0e251b2
Tags
attack.defense_evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=84b1ecf9-6eff-4004-bafb-bae5c0e251b2

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
95793d73b
frack113
Update proc_creation_win_googleupdate_susp_child_process.yml
2023-05-30
924483d1c
phantinuss
fix: FP in prod env
2023-05-22
d7f3bf973
Nasreddine Bencherchali
feat: new rules, updates and goofy guineapig stuff (#4229)
2023-05-15
0cb01970e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022