false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.

t1574
t1574.001
t1574.002
windows
sigma

Techniques

t1574
t1574.001
t1574.002

Sample rules

Potential Goopdate.DLL Sideloading

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects potential DLL sideloading of “goopdate.dll”, a DLL used by googleupdate.exe

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  ImageLoaded|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
filter_optional_dropbox_installer_temp:
  ImageLoaded|contains|all:
  - \AppData\Local\Temp\GUM
  - .tmp\\goopdate.dll
  Image|contains|all:
  - \AppData\Local\Temp\GUM
  - .tmp\Dropbox
selection:
  ImageLoaded|endswith: \goopdate.dll