Qbot Mounted Drive Script Executions

calendar Mar 26, 2024 · attack.s0650 attack.execution attack.t1059 attack.t1204  ·
Share on: linkedin copy

Detects Windows Scripting Host processes (wscript.exe and cscript.exe) that are invoking the execution of common scripting formats that Red Canary has observed being used by Qbot—such as .js, .vbs, and .wsf—that are from a logical mounted drive using the drive letters D: through Z: and that have a child process. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Qbot Mounted Drive Script Executions
 2id: e69d709f-097f-4798-bf9a-aa600fc3249f
 3status: experimental
 4description: |
 5    Detects Windows Scripting Host processes (wscript.exe and cscript.exe) that are 
 6    invoking the execution of common scripting formats that Red Canary has observed 
 7    being used by Qbot—such as .js, .vbs, and .wsf—that are from a logical mounted 
 8    drive using the drive letters D: through Z: and that have a child process. Part 
 9    of the RedCanary 2024 Threat Detection Report.    
10references:
11    - https://redcanary.com/threat-detection-report/threats/qbot/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15    - attack.s0650
16    - attack.execution
17    - attack.t1059
18    - attack.t1204
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\explorer.exe'
25        Image|endswith:
26            - '\cscript.exe'
27            - '\wscript.exe'
28        CommandLine|re: '[d-z]:\.*[js|vbs|wsf]$'
29    condition: selection
30falsepositives:
31    - Unknown
32level: low```

References

Related rules

to-top