Qakbot Discovery Activies
| Id | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27 |
| Rulename | Qakbot Discovery Activies |
| Description | This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe. |
| Severity | Medium |
| Tactics | DefenseEvasion Discovery Execution |
| Techniques | T1140 T1010 T1059 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml |
| Version | 1.0.0 |
| Arm template | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27.json |
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)
| where DiscoveryCommands >= 3
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
version: 1.0.0
kind: Scheduled
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
queryPeriod: 1h
severity: Medium
triggerOperator: gt
relevantTechniques:
- T1140
- T1010
- T1059
id: ba9db6b2-3d05-42ae-8aee-3a15bbe29f27
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml
query: |
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)
| where DiscoveryCommands >= 3
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tags:
- Ransomware
- Qakbot
- Discovery
tactics:
- DefenseEvasion
- Discovery
- Execution
triggerThreshold: 0
status: Available
description: |
This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.
name: Qakbot Discovery Activies