Adversaries may be using Gootkit to deliver ransomware via command and control channels, leveraging compromised systems to exfiltrate data and deploy malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware attacks before significant damage occurs.
KQL Query
AlertInfo | where Title =~ "Suspected delivery of Gootkit malware"
// Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see
// only file create events where the malware may be present but has not yet been executed.
////
// Get alert evidence
| join AlertEvidence on $left.AlertId == $right.AlertId
// Look for C2
| join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId
| where InitiatingProcessFileName =~ "wscript.exe" and InitiatingProcessCommandLine has ".zip" and InitiatingProcessCommandLine has ".js"
| summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName
id: 11d725f5-93d8-4b34-a64f-bf8450cdb184
name: Gootkit File Delivery
description: |
This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceNetworkEvents
tactics:
- Ransomware
query: |
AlertInfo | where Title =~ "Suspected delivery of Gootkit malware"
// Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see
// only file create events where the malware may be present but has not yet been executed.
////
// Get alert evidence
| join AlertEvidence on $left.AlertId == $right.AlertId
// Look for C2
| join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId
| where InitiatingProcessFileName =~ "wscript.exe" and InitiatingProcessCommandLine has ".zip" and InitiatingProcessCommandLine has ".js"
| summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via Scheduled Job
Description: A scheduled job runs a legitimate software update that includes a file with a suspicious name (e.g., update.exe) but is signed by a trusted vendor.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" OR file.hash_sha256:"<trusted_hash>"
Scenario: Admin Performing System Cleanup with PowerShell
Description: An admin uses PowerShell to clean up temporary files, which may include a file named clean.exe that matches the Gootkit file signature.
Filter/Exclusion: process.name:"powershell.exe" AND process.user:"<admin_username>" AND process.command_line:"*clean*"
Scenario: Antivirus Quarantine File Renaming
Description: An antivirus tool quarantines a malicious file and renames it to a benign-looking name (e.g., safe.exe), triggering the Gootkit detection rule.
Filter/Exclusion: file.path:"C:\Windows\Temp\*" OR process.name:"Windows Defender Antivirus"
Scenario: Legitimate File Delivery via Microsoft Endpoint Manager (MEM)
Description: A file is deployed via Microsoft Endpoint Manager to update devices, and the file name matches known Gootkit indicators.
Filter/Exclusion: process.parent_process_name:"msiexec.exe" OR process.parent_process_name:"setup.exe" AND process.command_line:"*microsoft.com*"
Scenario: User-Initiated File Transfer via USB Stick
Description: A user transfers a file from a USB stick to a workstation, and the file name matches the Gootkit detection criteria.
Filter/Exclusion: process.name:"explorer.exe" AND file.path:"<user_profile>\Downloads\*"