Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
Sigma rule (View on GitHub)
1title: Qakbot Rundll32 Exports Execution
2id: 339ed3d6-5490-46d0-96a7-8abe33078f58
3status: test
4description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
5references:
6 - https://github.com/pr0xylife/Qakbot/
7author: X__Junior (Nextron Systems)
8date: 2023-05-24
9modified: 2023-05-30
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - detection.emerging-threats
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_paths:
19 ParentImage|endswith:
20 # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
21 - '\cmd.exe'
22 - '\cscript.exe'
23 - '\curl.exe'
24 - '\mshta.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - '\wscript.exe'
28 Image|endswith: '\rundll32.exe'
29 CommandLine|contains:
30 # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
31 - ':\ProgramData\'
32 - ':\Users\Public\'
33 - '\AppData\Local\Temp\'
34 - '\AppData\Roaming\'
35 selection_exports:
36 CommandLine|endswith:
37 # Note: Only add additional exports seen used by Qakbot
38 - 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report
39 - 'bind'
40 - 'DrawThemeIcon'
41 - 'GG10'
42 - 'GL70'
43 - 'jhbvygftr'
44 - 'kjhbhkjvydrt'
45 - 'LS88'
46 - 'Motd'
47 - 'N115'
48 - 'next' # https://tria.ge/230530-n3rxpahf9w/behavioral2
49 - 'Nikn'
50 - 'print'
51 - 'qqqb'
52 - 'qqqq'
53 - 'RS32'
54 - 'Test'
55 - 'Time'
56 - 'Updt'
57 - 'vips'
58 - 'Wind'
59 - 'WW50'
60 - 'X555'
61 - 'XL55'
62 - 'xlAutoOpen'
63 - 'XS88'
64 condition: all of selection_*
65falsepositives:
66 - Unlikely
67level: critical
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Fireball Archer Install
- Goofy Guineapig Backdoor IOC
- Greenbug Espionage Group Indicators
- Operation Wocao Activity