Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Qakbot Campaign Self Deletion

Qakbot Campaign Self Deletion

Back
Id47c02e21-3949-4e05-a28e-576cd75ff6f6
RulenameQakbot Campaign Self Deletion
DescriptionThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware

Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.

The following query detects if an instance of Qakbot has attempted to overwrite its original binary.

Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
SeverityMedium
TacticsDefenseEvasion
TechniquesT1070
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml
Version1.0.0
Arm template47c02e21-3949-4e05-a28e-576cd75ff6f6.json
Deploy To Azure
DeviceProcessEvents 
| where FileName =~ "ping.exe"
| where InitiatingProcessFileName =~ "cmd.exe"
| where (InitiatingProcessCommandLine has "calc.exe") and (InitiatingProcessCommandLine has "-n 6") and (InitiatingProcessCommandLine has "127.0.0.1")
| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

status: Available
triggerOperator: gt
triggerThreshold: 0
name: Qakbot Campaign Self Deletion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml
queryPeriod: 1h
severity: Medium
tags:
- Qakbot
- Ransomware
- Self Deletion
- Defense Evasion
kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
queryFrequency: 1h
relevantTechniques:
- T1070
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
description: |
  This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
  Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
  The following query detects if an instance of Qakbot has attempted to overwrite its original binary.
  Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/  
tactics:
- DefenseEvasion
query: |
  DeviceProcessEvents 
  | where FileName =~ "ping.exe"
  | where InitiatingProcessFileName =~ "cmd.exe"
  | where (InitiatingProcessCommandLine has "calc.exe") and (InitiatingProcessCommandLine has "-n 6") and (InitiatingProcessCommandLine has "127.0.0.1")
  | project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
id: 47c02e21-3949-4e05-a28e-576cd75ff6f6
version: 1.0.0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/47c02e21-3949-4e05-a28e-576cd75ff6f6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/47c02e21-3949-4e05-a28e-576cd75ff6f6')]",
      "properties": {
        "alertRuleTemplateName": "47c02e21-3949-4e05-a28e-576cd75ff6f6",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware\nQakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.\nThe following query detects if an instance of Qakbot has attempted to overwrite its original binary.\nReference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/\n",
        "displayName": "Qakbot Campaign Self Deletion",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml",
        "query": "DeviceProcessEvents \n| where FileName =~ \"ping.exe\"\n| where InitiatingProcessFileName =~ \"cmd.exe\"\n| where (InitiatingProcessCommandLine has \"calc.exe\") and (InitiatingProcessCommandLine has \"-n 6\") and (InitiatingProcessCommandLine has \"127.0.0.1\")\n| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          "Qakbot",
          "Ransomware",
          "Self Deletion",
          "Defense Evasion"
        ],
        "techniques": [
          "T1070"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}