Qakbot Campaign Self Deletion
| Id | 47c02e21-3949-4e05-a28e-576cd75ff6f6 |
| Rulename | Qakbot Campaign Self Deletion |
| Description | This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also. The following query detects if an instance of Qakbot has attempted to overwrite its original binary. Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/ |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1070 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml |
| Version | 1.0.0 |
| Arm template | 47c02e21-3949-4e05-a28e-576cd75ff6f6.json |
DeviceProcessEvents
| where FileName =~ "ping.exe"
| where InitiatingProcessFileName =~ "cmd.exe"
| where (InitiatingProcessCommandLine has "calc.exe") and (InitiatingProcessCommandLine has "-n 6") and (InitiatingProcessCommandLine has "127.0.0.1")
| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
severity: Medium
relevantTechniques:
- T1070
triggerThreshold: 0
id: 47c02e21-3949-4e05-a28e-576cd75ff6f6
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml
description: |
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects if an instance of Qakbot has attempted to overwrite its original binary.
Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
kind: Scheduled
tags:
- Qakbot
- Ransomware
- Self Deletion
- Defense Evasion
triggerOperator: gt
name: Qakbot Campaign Self Deletion
queryPeriod: 1h
status: Available
version: 1.0.0
query: |
DeviceProcessEvents
| where FileName =~ "ping.exe"
| where InitiatingProcessFileName =~ "cmd.exe"
| where (InitiatingProcessCommandLine has "calc.exe") and (InitiatingProcessCommandLine has "-n 6") and (InitiatingProcessCommandLine has "127.0.0.1")
| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
entityType: Host
queryFrequency: 1h