Potentially Suspicious GoogleUpdate Child Process

Hunt Hypothesis

Detects potentially suspicious child processes of “GoogleUpdate.exe”

Detection Rule

Sigma (Original)

title: Potentially Suspicious GoogleUpdate Child Process
id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2
related:
    - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
      type: derived
status: test
description: Detects potentially suspicious child processes of "GoogleUpdate.exe"
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-05-22
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\GoogleUpdate.exe'
    filter_main_known_legit:
        # Some other legit child process might exist. It's better to make a baseline before running this in production
        - Image|contains: '\Google' # Example: GoogleUpdate.exe, GoogleCrashHandler.exe, GoogleUpdateComRegisterShell64.exe
        - Image|endswith:
              - '\setup.exe'
              - 'chrome_updater.exe'
              - 'chrome_installer.exe'
    filter_main_image_null:
        Image: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\GoogleUpdate.exe" or ActingProcessName endswith "\\GoogleUpdate.exe") and (not(((TargetProcessName contains "\\Google" or (TargetProcessName endswith "\\setup.exe" or TargetProcessName endswith "chrome_updater.exe" or TargetProcessName endswith "chrome_installer.exe")) or isnull(TargetProcessName))))

Required Data Sources

False Positive Guidance

• Unknown

References

• https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
• SigmaHQ Rule