Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Qakbot Discovery Activies

Qakbot Discovery Activies

Back
Idba9db6b2-3d05-42ae-8aee-3a15bbe29f27
RulenameQakbot Discovery Activies
DescriptionThis query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.
SeverityMedium
TacticsDefenseEvasion
Discovery
Execution
TechniquesT1140
T1010
T1059
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml
Version1.0.0
Arm templateba9db6b2-3d05-42ae-8aee-3a15bbe29f27.json
Deploy To Azure
DeviceProcessEvents 
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
     or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
     or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
     or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
     or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
     or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)   
| where DiscoveryCommands >= 3
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
description: |
    This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml
triggerOperator: gt
queryPeriod: 1h
kind: Scheduled
status: Available
relevantTechniques:
- T1140
- T1010
- T1059
tactics:
- DefenseEvasion
- Discovery
- Execution
severity: Medium
name: Qakbot Discovery Activies
query: |
  DeviceProcessEvents 
  | where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
  | where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
       or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
       or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
       or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
       or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
       or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
  | summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)   
  | where DiscoveryCommands >= 3
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
triggerThreshold: 0
version: 1.0.0
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
id: ba9db6b2-3d05-42ae-8aee-3a15bbe29f27
tags:
- Ransomware
- Qakbot
- Discovery

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba9db6b2-3d05-42ae-8aee-3a15bbe29f27')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba9db6b2-3d05-42ae-8aee-3a15bbe29f27')]",
      "properties": {
        "alertRuleTemplateName": "ba9db6b2-3d05-42ae-8aee-3a15bbe29f27",
        "customDetails": null,
        "description": "This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.\n",
        "displayName": "Qakbot Discovery Activies",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml",
        "query": "DeviceProcessEvents \n| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')\n| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))\n     or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')\n     or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))\n     or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')\n     or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')\n     or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')\n| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)   \n| where DiscoveryCommands >= 3\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Discovery",
          "Execution"
        ],
        "tags": [
          "Ransomware",
          "Qakbot",
          "Discovery"
        ],
        "techniques": [
          "T1010",
          "T1059",
          "T1140"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}