The Win32.Gozi detection rule identifies potential adversary behavior involving malware communication and data exfiltration through suspicious network activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromises and prevent lateral movement within the network.
YARA Rule
rule GoziRule : Gozi Family {
meta:
description = "Win32.Gozi"
author = "CCN-CERT"
version = "1.0"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
strings:
$ = {63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 6F 00 75 00 72 00 6E 00 61 00 6C 00 00 00 4F 50 45 52 41 2E 45 58 45 00}
condition:
all of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Microsoft Baseline Security Analyzer (MBSA) to perform a security scan.
Filter/Exclusion: Exclude processes associated with mbsa.exe or check for the presence of a known MBSA scan task in the task scheduler.
Scenario: A scheduled job runs Windows Defender Antivirus scan using Microsoft Defender ATP.
Filter/Exclusion: Exclude processes with the parent process svchost.exe or check for the presence of a known Defender scan task in the task scheduler.
Scenario: A PowerShell script is executed by an admin to update system configurations, such as Group Policy Objects (GPO).
Filter/Exclusion: Exclude processes with the parent process services.exe or filter by the presence of powershell.exe with a known GPO update script.
Scenario: A Windows Update task is running to install critical patches.
Filter/Exclusion: Exclude processes associated with wuauserv or check for the presence of a known Windows Update task in the task scheduler.
Scenario: A remote desktop session is being used to perform administrative tasks, such as configuring network settings.
Filter/Exclusion: Exclude processes with the parent process tsclient.exe or check for the presence of a known RDP session.