| ID | Technique | Tactic |
|---|---|---|
| T1059.001 | PowerShell | Execution |
| T1001 | Data Obfuscation | Command And Control |
Detection: Windows PowGoop Beacon Decoding
Description
Detects a DLL decoding and executing the PowGoop config.txt payload, the stage in the MuddyWater infection chain where an obfuscated PowerShell beacon is unwrapped and live C2 communication begins. PowGoop is the primary loader used by MuddyWater (also tracked as SeedWorm, Static Kitten, and MERCURY) and has been their main initial access loader since at least 2020. It abuses DLL side-loading against a fake GoogleUpdate.exe to execute a multi-stage decoding chain, a fully functional PowerShell backdoor disguised with a benign extension. The config.txt contains a hardcoded C2 address and victim GUID, beacons via modified base64-encoded HTTP, and runs C2 traffic under the legitimate Google Update process to evade network detection.
Search
1
2| tstats `security_content_summariesonly`
3 count min(_time) as firstTime
4 max(_time) as lastTime
5
6from datamodel=Endpoint.Processes where
7
8Processes.parent_process_path="*rundll32.exe"
9Processes.process_name="powershell.exe"
10Processes.process="*FromBase64String*"
11Processes.process="*config.txt*"
12
13by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
14 Processes.parent_process_name Processes.parent_process_exec Processes.action
15 Processes.dest Processes.process_current_directory Processes.process_path
16 Processes.process_integrity_level Processes.original_file_name Processes.parent_process
17 Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
18 Processes.process_guid Processes.process_id Processes.user Processes.process_name
19
20
21| `drop_dm_object_name(Processes)`
22
23| `security_content_ctime(firstTime)`
24
25| `security_content_ctime(lastTime)`
26
27| `windows_powgoop_beacon_decoding_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | 'crowdstrike:events:sensor' |
'crowdstrike' |
| Sysmon EventID 1 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_powgoop_beacon_decoding_filter | search * |
windows_powgoop_beacon_decoding_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Installation
DE.CM
CIS 10
APT19
APT28
APT29
APT3
APT32
APT33
APT38
APT39
APT41
APT42
APT5
Akira
Aquatic Panda
BRONZE BUTLER
BlackByte
Blue Mockingbird
CURIUM
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
CopyKittens
Daggerfly
DarkHydrus
DarkVishnya
Deep Panda
Dragonfly
Earth Lusca
Ember Bear
FIN10
FIN13
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
Gallmaker
Gamaredon Group
Gorgon Group
HAFNIUM
HEXANE
Inception
Indrik Spider
Kimsuky
Lazarus Group
LazyScripter
Leviathan
Magic Hound
Medusa Group
Molerats
MoustachedBouncer
MuddyWater
Mustang Panda
Nomadic Octopus
OilRig
Patchwork
Play
Poseidon Group
RedCurl
Saint Bear
Sandworm Team
Scattered Spider
Sidewinder
Silence
Stealth Falcon
Storm-0501
Storm-1811
TA2541
TA459
TA505
TeamTNT
Threat Group-3390
Thrip
ToddyCat
Tonto Team
Turla
UNC3886
VOID MANTICORE
Volt Typhoon
WIRTE
Winter Vivern
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Some security tools or legitimate debugging processes may decode config files similar to PowGoop. Review and whitelist trusted applications to reduce false alerts.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Potential PowGoop Beacon Decoding activity observed on $dest$ via $process$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 50 | parent_process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1