Query Usage To Exfil Data
Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
Sigma rule (View on GitHub)
1title: Query Usage To Exfil Data
2id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2
3status: test
4description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
5references:
6 - https://twitter.com/MichalKoczwara/status/1553634816016498688
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/01
9modified: 2023/01/19
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: ':\Windows\System32\query.exe'
18 CommandLine|contains:
19 - 'session >'
20 - 'process >'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Clipboard Data Collection Via OSAScript
- Enable BPF Kprobes Tracing
- Fsutil Behavior Set SymlinkEvaluation
- Import PowerShell Modules From Suspicious Directories
- Import PowerShell Modules From Suspicious Directories - ProcCreation