The detection identifies potential GootKit malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: GootKit Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | c8889ebbf9516b00d148dfd3b2aee781deb30d27f654039903d31a8ff39d1f4e | payload | 2026-06-11 | 95% |
| sha1_hash | b1e46ed3f539868edb60e25b523e77dea71868c2 | payload | 2026-06-11 | 95% |
| md5_hash | 2e4973a854f88682666c77394ec3e61e | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - GootKit
let malicious_hashes = dynamic(["c8889ebbf9516b00d148dfd3b2aee781deb30d27f654039903d31a8ff39d1f4e", "b1e46ed3f539868edb60e25b523e77dea71868c2", "2e4973a854f88682666c77394ec3e61e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using GootKit-Related Tools
Description: A system administrator schedules a legitimate job using a tool like task scheduler or cron to run a script that includes a file or command matching GootKit IOCs (e.g., powershell.exe with a specific command line).
Filter/Exclusion: Exclude processes initiated by the Task Scheduler service or cron jobs, or filter by user SYSTEM or root.
Scenario: Admin Performing Network Discovery with Nmap
Description: An administrator uses nmap to scan internal networks for open ports and services, which may include IP addresses or ports that match GootKit IOCs.
Filter/Exclusion: Exclude processes running nmap or tcpdump and filter by known internal IP ranges or specific network discovery tools.
Scenario: Legitimate Software Update Process
Description: A software update process, such as Microsoft’s Windows Update or a third-party update tool, may include files or registry keys that match GootKit IOCs.
Filter/Exclusion: Exclude processes associated with Windows Update (wuauclt.exe), Microsoft Update, or known update tools by their process names or parent processes.
Scenario: Security Tool Performing Threat Intelligence Lookup
Description: A security tool like CrowdStrike or CrowdStrike Falcon may query ThreatFox or other threat intelligence sources, which could trigger GootKit-related IOCs.
Filter/Exclusion: Exclude processes associated with security tools (e.g., CrowdStrike, Microsoft Defender ATP) or filter by known threat intelligence query patterns.
Scenario: Legitimate Log Analysis with PowerShell
Description: A system administrator uses PowerShell scripts to analyze logs, which may include commands or file paths that match GootKit IOCs