Query Usage To Exfil Data

Aug 12, 2024 · attack.execution ·

Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use

Sigma rule (View on GitHub)

 1title: Query Usage To Exfil Data
 2id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2
 3status: test
 4description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
 5references:
 6    - https://twitter.com/MichalKoczwara/status/1553634816016498688
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-08-01
 9modified: 2023-01-19
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: ':\Windows\System32\query.exe'
18        CommandLine|contains:
19            - 'session >'
20            - 'process >'
21    condition: selection
22falsepositives:
23    - Unknown
24level: medium

References

x.com

Read More

Query Usage To Exfil Data

Sigma rule (View on GitHub)

References

x.com

Related rules