Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 38 lines (37 sloc) 1.15 KB
---
action: global
title: APT29 Google Update Service Install
description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.'
references:
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
tags:
- attack.command_and_control
- attack.g0016
- attack.t1172
logsource:
product: windows
detection:
service:
EventID: 7045
ServiceName: 'Google Update'
timeframe: 5m
condition: service | near process
falsepositives:
- Unknown
level: high
---
# Windows Audit Log
detection:
process:
EventID: 4688
NewProcessName:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
---
# Sysmon
detection:
process:
EventID: 1
Image:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'