Potentially Suspicious Usage Of Qemu

Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Usage Of Qemu
 2id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
 3status: experimental
 4description: |
 5    Detects potentially suspicious execution of the Qemu utility in a Windows environment.
 6    Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.    
 7references:
 8    - https://securelist.com/network-tunneling-with-qemu/111803/
 9    - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
10author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
11date: 2024-06-03
12tags:
13    - attack.command-and-control
14    - attack.t1090
15    - attack.t1572
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains:
22            - '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
23            - '-m 2M'
24            - '-m 3M'
25        CommandLine|contains|all:
26            - 'restrict=off'
27            - '-netdev '
28            - 'connect='
29            - '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
30    filter_main_normal_usecase:
31        CommandLine|contains:
32            - ' -cdrom ' # Normal usage cases
33            - ' type=virt '
34            - ' -blockdev '
35    condition: selection and not 1 of filter_main_*
36falsepositives:
37    - Unknown
38level: medium

References

Related rules

to-top