Page Contents
Description
To assist SOC’s (Security Operation Teams) and detection engineers I have pulled together a few examples for detection analytics to identify possible Gootkit execution. Once executed the common next step is a discovery of the network and local host in encoded scripts which are downloaded from a C2C server. This C2C server will be commonly connected to along with establishing persistence as a scheduled task.
Prerequisite
For Windows OS detection based on the event logs the Event ID 4688 must be enabled along with command line logging.
JavaScript launched by User
This rule detects where a user has attempted to open a JavaScript file by double clicking it which is highly unusual and suspicious and thus a likely indication of execution of the malicious payload commonly seen with GootKit and other Trojans.
Windows Event
EventID == "4688"
CommandLine contains "wscript.exe" and CommandLine contains ".js"
MITRE Tactic & Technique
Execution T1059 & T1204
JavaScript in Downloads folder
*Rule built for Defender for Endpoint raw logs*
Although not strictly suspicious it is uncommon for normal users who aren’t developers to have JavaScript files in their downloads folder. This rule therefore detects such files in an attempt to identify potential threats before they might be executed. For drive by attacks and phishing emails which Gootkit typically relies on the zipped folder which contains the JavaScript file will be download to the usual downloads folder.
Defender for Endpoint DeviceFileEvents
DeviceFileEvents
| where Folderpath contains "C:\\Users\\" and FolderPath contains "\\Downloads\\" and FolderPath endswith ".js" and not (FolderPath endswith ".json")
Suspicious JavaScript launched by Word or File Explorer
This rule detects where a JavaScript file has been executed from Word or File Explorer and could be a potential indicator of Gootkit or other malware strains.
Windows Event
EventID == "4688"
ParentProcess == "explorer.exe" or ParentProcess == "winword.exe"
FileName == "wscript.exe"
CommandLine contains ".js"
MITRE Tactic & Technique
Execution T1059 & T1204