Malicious QakBot Dropped File Creation (Sysmon)
Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.
Sigma rule (View on GitHub)
1title: Malicious QakBot Dropped File Creation (Sysmon)
2id: 8e401ffe-ca9b-4bb2-87aa-8e285811d43f
3status: experimental
4description: Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
7author: Micah Babinski
8date: 2022/11/17
9tags:
10 - attack.initial_access
11 - attack.defense_evasion
12 - attack.t1566
13 - attack.t1027
14 - attack.t1553
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 TargetFilename|endswith:
21 - '.html'
22 - '.zip'
23 - '.iso'
24 - '.lnk'
25 TargetFilename|re: '.*TXRTN_[0-9]{7}\..*'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high```
References
Related rules
- CMD Launching Batch Script Stored on External Drive (Chromeloader)
- Command Shell Obfuscated Commands
- Powershell Obfuscation and Escape Characters
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components