QBot rundll32.exe Non-standard File Proxy Execution (RedCanary Threat Detection Report)
Detects Rundll32.exe process creations with non-standard file types denoted by excluding the common file types from the command-=line selection. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: QBot rundll32.exe Non-standard File Proxy Execution (RedCanary Threat Detection Report)
2id: bb1cfac0-eca2-4803-9acd-aa75f5b84ff4
3status: experimental
4description: Detects Rundll32.exe process creations with non-standard file types denoted by excluding the common file types from the command-=line selection. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/qbot/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.s0650
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 Image|endswith: '\rundll32.exe'
17 filter:
18 CommandLine|contains:
19 - '.dll'
20 - '.cpl'
21 - '.ax'
22 - '.ocx'
23 - '.inf'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: low```
References
-
Qbot is a banking trojan with the ability to quickly spread to other hosts within an environment and is a delivery agent for ransomware.
Read More
Related rules
- QBot Mounted Drive Execution (RedCanary Threat Detection Report)
- ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
- Suspicious User-Initiated Process Execution on External Drive (Old)
- Suspicious User-Initiated Process Execution on External Drive (Sysmon)
- Web Browser Creates Zip Archive File (Sysmon)