Potential Qakbot Rundll32 Execution

calendar Apr 1, 2024 · attack.defense_evasion attack.execution detection.emerging_threats  ·
Share on: linkedin copy

Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.

Sigma rule (View on GitHub)

 1title: Potential Qakbot Rundll32 Execution
 2id: cf879ffb-793a-4753-9a14-bc8f37cc90df
 3status: test
 4description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
 5references:
 6    - https://github.com/pr0xylife/Qakbot/
 7author: X__Junior (Nextron Systems)
 8date: 2023/05/24
 9tags:
10    - attack.defense_evasion
11    - attack.execution
12    - detection.emerging_threats
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_paths:
18        ParentImage|endswith:
19            # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
20            - '\cmd.exe'
21            - '\cscript.exe'
22            - '\curl.exe'
23            - '\mshta.exe'
24            - '\powershell.exe'
25            - '\pwsh.exe'
26            - '\wscript.exe'
27        Image|endswith: '\rundll32.exe'
28        CommandLine|contains:
29            # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
30            - ':\ProgramData\'
31            - ':\Users\Public\'
32            - '\AppData\Local\Temp\'
33            - '\AppData\Roaming\'
34    selection_extension:
35        CommandLine|contains: '.dll'
36    condition: all of selection_*
37falsepositives:
38    - Unlikely
39level: high

References

Related rules

to-top