Qakbot Discovery Activies
| Id | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27 |
| Rulename | Qakbot Discovery Activies |
| Description | This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe. |
| Severity | Medium |
| Tactics | DefenseEvasion Discovery Execution |
| Techniques | T1140 T1010 T1059 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml |
| Version | 1.0.0 |
| Arm template | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27.json |
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)
| where DiscoveryCommands >= 3
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: Qakbot Discovery Activies
relevantTechniques:
- T1140
- T1010
- T1059
id: ba9db6b2-3d05-42ae-8aee-3a15bbe29f27
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
version: 1.0.0
severity: Medium
triggerThreshold: 0
tags:
- Ransomware
- Qakbot
- Discovery
queryPeriod: 1h
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
entityType: Host
queryFrequency: 1h
status: Available
query: |
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)
| where DiscoveryCommands >= 3
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
tactics:
- DefenseEvasion
- Discovery
- Execution
kind: Scheduled
description: |
This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.
triggerOperator: gt