Potentially Suspicious Usage Of Qemu

calendar Jun 3, 2024 · attack.command_and_control attack.t1090 attack.t1572  ·
Share on: linkedin copy

Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Usage Of Qemu
 2id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
 3status: experimental
 4description: |
 5    Detects potentially suspicious execution of the Qemu utility in a Windows environment.
 6    Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.    
 7references:
 8    - https://securelist.com/network-tunneling-with-qemu/111803/
 9    - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
10author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
11date: 2024/06/03
12tags:
13    - attack.command_and_control
14    - attack.t1090
15    - attack.t1572
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains:
22            - '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
23            - '-m 2M'
24            - '-m 3M'
25        CommandLine|contains|all:
26            - 'restrict=off'
27            - '-netdev '
28            - 'connect='
29            - '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
30    filter_main_normal_usecase:
31        CommandLine|contains:
32            - ' -cdrom ' # Normal usage cases
33            - ' type=virt '
34            - ' -blockdev '
35    condition: selection and not 1 of filter_main_*
36falsepositives:
37    - Unknown
38level: medium

References

  • Network tunneling with… QEMU?

    While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator.


    Read More

  • Invocation — QEMU documentation

    Create a new object of type typename setting properties in the order they are specified. Note that the ‘id’ property must be set. These objects are placed in the ‘/objects’ path. -object memory-bac...


    Read More

Related rules

to-top