The hypothesis is that an adversary is attempting to sideload the Goopdate.DLL file into a legitimate process to execute malicious code, leveraging T1574.001 to maintain persistence and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence mechanisms used by advanced threats.
Detection Rule
title: Potential Goopdate.DLL Sideloading
id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0
status: test
description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2025-10-07
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\goopdate.dll'
filter_main_generic:
ImageLoaded|startswith:
# Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_dropbox_installer_temp:
Image|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\Dropbox'
ImageLoaded|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\goopdate.dll'
filter_optional_googleupdate_temp:
Image|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
Image|endswith: '.tmp\GoogleUpdate.exe'
ImageLoaded|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
- Other third party chromium browsers located in AppData
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not((((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox") and (FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll")) or ((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" or InitiatingProcessFolderPath contains ":\\Windows\\SystemTemp\\GUM") and InitiatingProcessFolderPath endswith ".tmp\\GoogleUpdate.exe" and (FolderPath contains "\\AppData\\Local\\Temp\\GUM" or FolderPath contains ":\\Windows\\SystemTemp\\GUM")))))Scenario: Legitimate System Update via Windows Update
Description: A system update process may temporarily place goopdate.dll in a system directory as part of a Windows Update or servicing stack update.
Filter/Exclusion: Check the file’s hash against known Windows update hashes or filter by file path such as C:\Windows\Temp\ or C:\Windows\SoftwareDistribution\.
Scenario: Scheduled Job for Patch Management Tool
Description: A patch management tool like Microsoft Endpoint Configuration Manager (MECM) or SCCM may deploy updates that temporarily include goopdate.dll in a staging directory.
Filter/Exclusion: Exclude files from known patch management directories such as C:\Windows\Temp\SCCM\ or filter by process name like msiexec.exe or ccmexec.exe.
Scenario: Admin Task to Deploy Custom Software
Description: An administrator may manually deploy a custom application that includes goopdate.dll in a legitimate directory during a software installation or configuration task.
Filter/Exclusion: Exclude files from known admin directories such as C:\Program Files\ or filter by user context (e.g., username == "Administrator").
Scenario: Antivirus or Security Software Scan
Description: Some security software may temporarily place goopdate.dll in a system directory during a scan or quarantine process.
Filter/Exclusion: Exclude files from known security software directories such as C:\Program Files\Windows Defender\ or filter by process name like MsMpEng.exe.
Scenario: Development Environment Setup
Description: A developer may include goopdate.dll in a development environment or build directory as part of a testing or debugging setup.
Filter/Exclusion: Exclude files from development directories such as `