QBot Mounted Drive Execution (RedCanary Threat Detection Report)
Detects process creation from wscript or cscript interpreters with commands occuring on mounted drive letters. Defenders should check whether these processes have child processes. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: QBot Mounted Drive Execution (RedCanary Threat Detection Report)
2id: 949afe0b-2d45-4999-be9c-fe4808b8a68b
3status: experimental
4description: Detects process creation from wscript or cscript interpreters with commands occuring on mounted drive letters. Defenders should check whether these processes have child processes. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/qbot/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.s0650
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 ParentImage|endswith: '\explorer.exe'
17 Image|endswith:
18 - '\wscript.exe'
19 - '\cscript.exe'
20 CommandLine|re: '[d-z]:\\[^\\]+\.(?:js|vbs|wsf)'
21 condition: selection
22falsepositives:
23 - Unknown
24level: low```
References
-
Qbot is a banking trojan with the ability to quickly spread to other hosts within an environment and is a delivery agent for ransomware.
Read More
Related rules
- ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
- Suspicious User-Initiated Process Execution on External Drive (Old)
- Suspicious User-Initiated Process Execution on External Drive (Sysmon)
- Web Browser Creates Zip Archive File (Sysmon)
- Application Bypass with RunDLL32 and DllRegisterServer Function