{
	"id": "26d122e3-0c3f-4359-8635-9062acdc7a1e",
	"created_at": "2026-04-06T00:14:47.072147Z",
	"updated_at": "2026-04-10T03:21:27.885263Z",
	"deleted_at": null,
	"sha1_hash": "f985fea5f4005c398b975042bd4441bb63bbd1a1",
	"title": "Microsoft-365-Defender-Hunting-Queries/Delivery/Gootkit-malware.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44136,
	"plain_text": "Microsoft-365-Defender-Hunting-Queries/Delivery/Gootkit-malware.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries\r\nBy endisphotic\r\nArchived: 2026-04-05 21:31:16 UTC\r\nLatest commit\r\nMar 1, 2021\r\nThis query was originally published on Twitter, by @MsftSecIntel.\r\nGootkit is malware that started life as a banking trojan, and has since extended its capabilities to allow for a\r\nvariety of malicious activities.\r\nThe query helps find events related to Gootkit downloads and command-and-control behavior.\r\nQuery\r\nAlertInfo | where Title =~ \"Suspected delivery of Gootkit malware\"\r\n// Below section is to surface active follow-on Command and Control as a result of the above behavio\r\n// only file create events where the malware may be present but has not yet been executed.\r\n////\r\n// Get alert evidence\r\n| join AlertEvidence on $left.AlertId == $right.AlertId\r\n// Look for C2\r\n| join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId\r\n| where InitiatingProcessFileName =~ \"wscript.exe\" and InitiatingProcessCommandLine has \".zip\" and In\r\n| summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp,\r\nInitiatingProcessFileName, AlertId, Title, AccountName\r\nCategory\r\nThis query can be used to detect the following attack techniques and tactics (see MITRE ATT\u0026CK framework) or\r\nsecurity configuration states.\r\nTechnique, tactic, or state Covered? (v=yes) Notes\r\nInitial access\r\nExecution\r\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md\r\nPage 1 of 2\n\nTechnique, tactic, or state Covered? (v=yes) Notes\r\nPersistence\r\nPrivilege escalation\r\nDefense evasion\r\nCredential Access\r\nDiscovery\r\nLateral movement\r\nCollection\r\nCommand and control v\r\nExfiltration\r\nImpact\r\nVulnerability\r\nExploit\r\nMisconfiguration\r\nMalware, component\r\nRansomware\r\nContributor info\r\nContributor: Microsoft 365 Defender team\r\nSource: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md\r\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md"
	],
	"report_names": [
		"Gootkit-malware.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434487,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f985fea5f4005c398b975042bd4441bb63bbd1a1.pdf",
		"text": "https://archive.orkl.eu/f985fea5f4005c398b975042bd4441bb63bbd1a1.txt",
		"img": "https://archive.orkl.eu/f985fea5f4005c398b975042bd4441bb63bbd1a1.jpg"
	}
}