Validating detection for Gootloader with Atomic Red Team
Tags
cmtmf-attack-pattern: Masquerading
attack-pattern: Data Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Powershell - T1059.001 Reflective Code Loading - T1620 Scheduled Task - T1053.005 Search Engines - T1593.002 Seo Poisoning - T1608.006 Software - T1592.002 Masquerading - T1036 Obfuscated Files Or Information - T1027 Powershell - T1086 Scheduled Task - T1053 Scripting - T1064 Masquerading Scripting
Show in Graph
Common Information
Type Value
UUID 314653f5-069f-41d7-81fc-5f61dc84a2b4
Fingerprint 2d1591d601a59a88
Analysis status DONE
Considered CTI value -2
Text language
Published Oct. 30, 2023, midnight
Added to db Nov. 19, 2023, 3:35 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Emu-lation: Validating detection for Gootloader with Atomic Red Team
Title Validating detection for Gootloader with Atomic Red Team
Detected Hints/Tags/Attributes 70/2/25
Source URLs
Redirection Url
Details Source https://redcanary.com/blog/gootloader-emulation/
URL Provider
Details Provider Source level domain
Details redcanary.com redcanary.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 360 Red Canary https://www.redcanary.co/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 372 
wscript.shell
Details Domain 1 
value.id
Details File 376 
wscript.exe
Details File 155 
cscript.exe
Details File 19 
1.js
Details File 30 
c:\windows\system32\wscript.exe
Details File 1 
temp1_this_is_my_query.zip
Details File 1 
this_is_my_query.js
Details File 1 
c:\users\administrator\appdata\local\temp\t1027js\t1027js.js
Details File 1 
t1027js.js
Details File 1208 
powershell.exe
Details File 27 
invoke-mimikatz.ps1
Details File 1 
wshell.exe
Details File 19 
system.xml
Details File 8 
test.xml
Details File 50 
a.exe
Details File 312 
calc.exe
Details Github username 22 
powershellmafia
Details Github username 17 
redcanaryco
Details sha1 1 
f650520c4b1004daf8b3ec08007a0b945b91253a
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 275 
T1053.005
Details Url 1 
https://raw.githubusercontent.com/powershellmafia/powersploit/f650520c4b1004daf8b3ec08007a0b945b91253a/exfiltration/invoke-mimikatz.ps1
Details Url 1 
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/t1059.001/src/test.xml');$xml.command.a.execute