---
action: global
title: APT29 Google Update Service Install
description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
logsource:
    product: windows
detection:
    service:
        EventID: 7045
        ServiceName: 'Google Update'
    timeframe: 5m
    condition: service | near process
falsepositives:
    - Unknown
level: high
---
# Windows Audit Log
detection:
    process:
        EventID: 4688 
        NewProcessName: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
---
# Sysmon
detection:
    process:
        EventID: 1 
        Image: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'