Detectionmediumtest
Potential Goopdate.DLL Sideloading
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Mon May 15Updated Tue Oct 07b6188d2f-b3c4-4d2c-a17d-9706e0851af0windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic4 selectors
detection:
selection:
ImageLoaded|endswith: '\goopdate.dll'
filter_main_generic:
ImageLoaded|startswith:
# Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_dropbox_installer_temp:
Image|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\Dropbox'
ImageLoaded|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\goopdate.dll'
filter_optional_googleupdate_temp:
Image|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
Image|endswith: '.tmp\GoogleUpdate.exe'
ImageLoaded|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
Other third party chromium browsers located in AppData
References
MITRE ATT&CK
Rule Metadata
Rule ID
b6188d2f-b3c4-4d2c-a17d-9706e0851af0
Status
test
Level
medium
Type
Detection
Created
Mon May 15
Modified
Tue Oct 07
Path
rules/windows/image_load/image_load_side_load_goopdate.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001