Qakbot Rundll32 Fake DLL Extension Execution

Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.

Sigma rule (View on GitHub)

 1title: Qakbot Rundll32 Fake DLL Extension Execution
 2id: bfd34392-c591-4009-b938-9fd985a28b85
 3status: test
 4description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
 5references:
 6    - https://github.com/pr0xylife/Qakbot/
 7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-24
 9tags:
10    - attack.defense-evasion
11    - attack.execution
12    - detection.emerging-threats
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection:
18        ParentImage|endswith:
19            # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
20            - '\cmd.exe'
21            - '\cscript.exe'
22            - '\curl.exe'
23            - '\mshta.exe'
24            - '\powershell.exe'
25            - '\pwsh.exe'
26            - '\wscript.exe'
27        Image|endswith: '\rundll32.exe'
28        CommandLine|contains:
29            # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
30            - ':\ProgramData\'
31            - ':\Users\Public\'
32            - '\AppData\Local\Temp\'
33            - '\AppData\Roaming\'
34    filter_main_extension:
35        CommandLine|contains: '.dll'
36    condition: selection and not 1 of filter_main_*
37falsepositives:
38    - Unlikely
39level: critical

References

Related rules

to-top