Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Qakbot Campaign Self Deletion

Qakbot Campaign Self Deletion

Back
Id47c02e21-3949-4e05-a28e-576cd75ff6f6
RulenameQakbot Campaign Self Deletion
DescriptionThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware

Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.

The following query detects if an instance of Qakbot has attempted to overwrite its original binary.

Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
SeverityMedium
TacticsDefenseEvasion
TechniquesT1070
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml
Version1.0.0
Arm template47c02e21-3949-4e05-a28e-576cd75ff6f6.json
Deploy To Azure
DeviceProcessEvents 
| where FileName =~ "ping.exe"
| where InitiatingProcessFileName =~ "cmd.exe"
| where (InitiatingProcessCommandLine has "calc.exe") and (InitiatingProcessCommandLine has "-n 6") and (InitiatingProcessCommandLine has "127.0.0.1")
| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

tactics:
- DefenseEvasion
relevantTechniques:
- T1070
id: 47c02e21-3949-4e05-a28e-576cd75ff6f6
severity: Medium
status: Available
name: Qakbot Campaign Self Deletion
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where FileName =~ "ping.exe"
  | where InitiatingProcessFileName =~ "cmd.exe"
  | where (InitiatingProcessCommandLine has "calc.exe") and (InitiatingProcessCommandLine has "-n 6") and (InitiatingProcessCommandLine has "127.0.0.1")
  | project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
queryPeriod: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
tags:
- Qakbot
- Ransomware
- Self Deletion
- Defense Evasion
triggerOperator: gt
triggerThreshold: 0
description: |
  This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
  Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
  The following query detects if an instance of Qakbot has attempted to overwrite its original binary.
  Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/  
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml
queryFrequency: 1h
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/47c02e21-3949-4e05-a28e-576cd75ff6f6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/47c02e21-3949-4e05-a28e-576cd75ff6f6')]",
      "properties": {
        "alertRuleTemplateName": "47c02e21-3949-4e05-a28e-576cd75ff6f6",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware\nQakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.\nThe following query detects if an instance of Qakbot has attempted to overwrite its original binary.\nReference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/\n",
        "displayName": "Qakbot Campaign Self Deletion",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml",
        "query": "DeviceProcessEvents \n| where FileName =~ \"ping.exe\"\n| where InitiatingProcessFileName =~ \"cmd.exe\"\n| where (InitiatingProcessCommandLine has \"calc.exe\") and (InitiatingProcessCommandLine has \"-n 6\") and (InitiatingProcessCommandLine has \"127.0.0.1\")\n| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, DeviceName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          "Qakbot",
          "Ransomware",
          "Self Deletion",
          "Defense Evasion"
        ],
        "techniques": [
          "T1070"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}