From 6721251fdbcc0900926f52d10dab2df4183f4d49 Mon Sep 17 00:00:00 2001
From: aryu <153210755+Aryu-RU@users.noreply.github.com>
Date: Mon, 1 Jun 2026 18:10:10 +0800
Subject: [PATCH] Add HackTool - Gogo Scanner Execution rule

Detects execution of gogo (chainreactors/gogo), an open-source automated
recon scanning engine designed for red teams. Anchors on the gogo binary
name (released as gogo_windows_amd64.exe / gogo_windows_386.exe, or
renamed to gogo.exe) combined with gogo-specific command-line patterns:
distinctive port-preset tags (top1/top2/top3, win, db, docker, oracle,
dubbo, lotus), supersmart scan modes (-m ss / -m sc), and config-listing
commands (-P port / -P workflow).

Notable in-the-wild use: Cisco Talos documented UAT-8302 (China-nexus APT)
downloading gogo from its official GitHub releases for internal recon in
their May 2026 report.

Validated with tests/test_rules.py, tests/test_logsource.py, yamllint and
sigma check (0 issues).
---
 .../proc_creation_win_hktl_gogo_scanner.yml   | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_hktl_gogo_scanner.yml

diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gogo_scanner.yml b/rules/windows/process_creation/proc_creation_win_hktl_gogo_scanner.yml
new file mode 100644
index 00000000000..5ac04413dc1
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hktl_gogo_scanner.yml
@@ -0,0 +1,46 @@
+title: HackTool - Gogo Scanner Execution
+id: 02b1996d-2f4b-4f4e-bb6f-ceeb05024bd6
+status: experimental
+description: |
+    Detects execution of "gogo" (chainreactors/gogo), a high-performance open-source automated scanning engine designed for red teams.
+    The tool uses distinctive Gogo-specific port-preset tags (e.g. "top1", "top2", "top3", "win", "db", "docker", "oracle") with the "-p" flag, supersmart scan modes ("-m ss", "-m sc"), and config-listing commands ("-P port", "-P workflow").
+    Cisco Talos documented its use by the China-nexus APT group UAT-8302 in their May 2026 report, where the operators downloaded "gogo_windows_amd64.exe" from the official GitHub releases and used it for internal network reconnaissance.
+references:
+    - https://github.com/chainreactors/gogo
+    - https://blog.talosintelligence.com/uat-8302/
+    - https://chainreactors.github.io/wiki/gogo/
+author: Aryu-RU
+date: 2026-05-30
+tags:
+    - attack.discovery
+    - attack.t1046
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\gogo.exe'
+            - '\gogo_windows_amd64.exe'
+            - '\gogo_windows_386.exe'
+        CommandLine|contains:
+            # Gogo-specific port preset tags (used with the -p flag)
+            - ' -p top1'
+            - ' -p top2'
+            - ' -p top3'
+            - ' -p win'
+            - ' -p db'
+            - ' -p docker'
+            - ' -p oracle'
+            - ' -p dubbo'
+            - ' -p lotus'
+            # Gogo "supersmart" / "smartC" scan modes
+            - ' -m ss'
+            - ' -m sc'
+            # Gogo config-listing commands
+            - ' -P port'
+            - ' -P workflow'
+    condition: selection
+falsepositives:
+    - Legitimate use of gogo by security professionals or system administrators for authorized network assessment.
+level: high