Qakbot Discovery Activies
Id | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27 |
Rulename | Qakbot Discovery Activies |
Description | This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe. |
Severity | Medium |
Tactics | DefenseEvasion Discovery Execution |
Techniques | T1140 T1010 T1059 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml |
Version | 1.0.0 |
Arm template | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27.json |
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)
| where DiscoveryCommands >= 3
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
queryFrequency: 1h
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
description: |
This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml
triggerOperator: gt
queryPeriod: 1h
kind: Scheduled
status: Available
relevantTechniques:
- T1140
- T1010
- T1059
tactics:
- DefenseEvasion
- Discovery
- Execution
severity: Medium
name: Qakbot Discovery Activies
query: |
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m)
| where DiscoveryCommands >= 3
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
triggerThreshold: 0
version: 1.0.0
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
id: ba9db6b2-3d05-42ae-8aee-3a15bbe29f27
tags:
- Ransomware
- Qakbot
- Discovery
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba9db6b2-3d05-42ae-8aee-3a15bbe29f27')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba9db6b2-3d05-42ae-8aee-3a15bbe29f27')]",
"properties": {
"alertRuleTemplateName": "ba9db6b2-3d05-42ae-8aee-3a15bbe29f27",
"customDetails": null,
"description": "This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.\n",
"displayName": "Qakbot Discovery Activies",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml",
"query": "DeviceProcessEvents \n| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')\n| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))\n or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')\n or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))\n or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')\n or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')\n or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')\n| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName, bin(TimeGenerated, 5m) \n| where DiscoveryCommands >= 3\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Discovery",
"Execution"
],
"tags": [
"Ransomware",
"Qakbot",
"Discovery"
],
"techniques": [
"T1010",
"T1059",
"T1140"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}