Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
Sigma rule (View on GitHub)
1title: Qakbot Rundll32 Fake DLL Extension Execution
2id: bfd34392-c591-4009-b938-9fd985a28b85
3status: test
4description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
5references:
6 - https://github.com/pr0xylife/Qakbot/
7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-24
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 ParentImage|endswith:
19 # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
20 - '\cmd.exe'
21 - '\cscript.exe'
22 - '\curl.exe'
23 - '\mshta.exe'
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - '\wscript.exe'
27 Image|endswith: '\rundll32.exe'
28 CommandLine|contains:
29 # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
30 - ':\ProgramData\'
31 - ':\Users\Public\'
32 - '\AppData\Local\Temp\'
33 - '\AppData\Roaming\'
34 filter_main_extension:
35 CommandLine|contains: '.dll'
36 condition: selection and not 1 of filter_main_*
37falsepositives:
38 - Unlikely
39level: critical
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Fireball Archer Install
- Goofy Guineapig Backdoor IOC
- Greenbug Espionage Group Indicators
- Operation Wocao Activity