security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/image_load/image_load_side_load_goopdate.yml
T
frack113 83b9ff50bc Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags 
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
2025-05-15 12:17:10 +02:00

37 lines
1.5 KiB
YAML
Raw Blame History

title: Potential Goopdate.DLL Sideloading
id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0
status: test
description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-05-20
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\goopdate.dll'
filter_main_generic:
ImageLoaded|startswith:
# Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_dropbox_installer_temp:
Image|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\Dropbox'
ImageLoaded|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\\goopdate.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
- Other third party chromium browsers located in AppData
level: medium
Reference in New Issue View Git Blame Copy Permalink