Qakbot Regsvr32 Calc Pattern

Mar 11, 2024 · attack.defense_evasion attack.execution detection.emerging_threats ·

Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot

Sigma rule (View on GitHub)

 1title: Qakbot Regsvr32 Calc Pattern
 2id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
 3status: experimental
 4description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
 5references:
 6    - https://github.com/pr0xylife/Qakbot/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/26
 9modified: 2024/03/05
10tags:
11    - attack.defense_evasion
12    - attack.execution
13    - detection.emerging_threats
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection:
19        Image|endswith: '\regsvr32.exe'
20        CommandLine|contains|windash: ' -s'
21        CommandLine|endswith: ' calc'
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

GitHub - pr0xylife/Qakbot

Contribute to pr0xylife/Qakbot development by creating an account on GitHub.

Read More

Qakbot Regsvr32 Calc Pattern

Sigma rule (View on GitHub)

References

GitHub - pr0xylife/Qakbot

Related rules