Potential Goopdate.DLL Sideloading

Rule Info

Tags
attack.defense_evasion attack.t1574.001 DEMO attack.privilege_escalation attack.t1574.002
Name
Potential Goopdate.DLL Sideloading
Id
b6188d2f-b3c4-4d2c-a17d-9706e0851af0
Date
2023-05-15 00:00:00
Modified
2023-05-20 00:00:00
Description
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Reference
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Author
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=b6188d2f-b3c4-4d2c-a17d-9706e0851af0

Rule History

Title
Author
Commit
Date
fix: typo in fp
Nasreddine Bencherchali
9d8b6def0
2023-05-20
fix: fp with goopdate
Nasreddine Bencherchali
e593068ab
2023-05-20
feat: new rules, updates and goofy guineapig stuff (#4229)
Nasreddine Bencherchali
0cb01970e
2023-05-15
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022