Gootkit malware is likely being used to exfiltrate sensitive data and maintain persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant damage occurs.
KQL Query
AlertInfo | where Title =~ "Suspected delivery of Gootkit malware"
// Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see
// only file create events where the malware may be present but has not yet been executed.
////
// Get alert evidence
| join AlertEvidence on $left.AlertId == $right.AlertId
// Look for C2
| join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId
| where InitiatingProcessFileName =~ "wscript.exe" and InitiatingProcessCommandLine has ".zip" and InitiatingProcessCommandLine has ".js"
| summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp,
InitiatingProcessFileName, AlertId, Title, AccountName
id: c8796d76-9a84-4cc8-91b5-d01f882869d4
name: Gootkit-malware
description: |
This query was originally published on Twitter, by @MsftSecIntel.
Gootkit is malware that started life as a banking trojan, and has since extended its capabilities to allow for a variety of malicious activities.
The query helps find events related to Gootkit downloads and command-and-control behavior.
Reference - https://twitter.com/MsftSecIntel
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceNetworkEvents
tactics:
- Command and control
query: |
AlertInfo | where Title =~ "Suspected delivery of Gootkit malware"
// Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see
// only file create events where the malware may be present but has not yet been executed.
////
// Get alert evidence
| join AlertEvidence on $left.AlertId == $right.AlertId
// Look for C2
| join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId
| where InitiatingProcessFileName =~ "wscript.exe" and InitiatingProcessCommandLine has ".zip" and InitiatingProcessCommandLine has ".js"
| summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp,
InitiatingProcessFileName, AlertId, Title, AccountName
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Maintenance
Description: A scheduled task using schtasks.exe is configured to run a legitimate maintenance script (e.g., cleanmgr.exe or defrag.exe) during off-peak hours.
Filter/Exclusion: Exclude processes associated with schtasks.exe that are scheduled to run cleanmgr.exe or defrag.exe during maintenance windows.
Scenario: Admin Task Using PowerShell for Log Analysis
Description: A system administrator is using PowerShell to analyze system logs (e.g., using Get-EventLog or Get-WinEvent) for troubleshooting purposes.
Filter/Exclusion: Exclude PowerShell scripts that contain Get-EventLog or Get-WinEvent commands executed by known admin accounts (e.g., Administrator, Domain Admins).
Scenario: Antivirus or EDR Tool Performing a Full System Scan
Description: A legitimate antivirus or EDR tool (e.g., Microsoft Defender, CrowdStrike, or SentinelOne) is performing a full system scan, which may trigger similar behavior to Gootkit.
Filter/Exclusion: Exclude processes associated with known EDR/AV tools (e.g., MsMpEng.exe, CsiService.exe, SentinelOne.exe) during scheduled scans.
Scenario: Deployment of a Patch or Update via Group Policy
Description: A Group Policy update is being deployed via gpupdate.exe or GroupPolicy.exe, which may involve temporary file creation or registry modifications.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or GroupPolicy.exe during scheduled patch deployment times.
Scenario: Legitimate Remote Management Tool Usage
Description: A remote management tool (e.g., PsExec, `PSTools