Malicious QakBot Dropped File Creation (Event 4663)
Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.
Sigma rule (View on GitHub)
1title: Malicious QakBot Dropped File Creation (Event 4663)
2id: 7daae1fd-b462-4628-a87e-5f639351b783
3status: experimental
4description: Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
7author: Micah Babinski
8date: 2022/11/17
9tags:
10 - attack.initial_access
11 - attack.defense_evasion
12 - attack.t1566
13 - attack.t1027
14 - attack.t1553
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4663
21 ObjectType: 'File'
22 AccessList: '%%4417'
23 ObjectName|endswith:
24 - '.html'
25 - '.zip'
26 - '.iso'
27 - '.lnk'
28 ObjectName|re: '.*TXRTN_[0-9]{7}\..*'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high```
References
Related rules
- Malicious QakBot Dropped File Creation (Sysmon)
- Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
- Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
- Search-ms and WebDAV Indicators in URL
- WebDAV Temporary Local File Creation