Potential Qakbot Registry Activity
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
Sigma rule (View on GitHub)
1title: Potential Qakbot Registry Activity
2id: 1c8e96cd-2bed-487d-9de0-b46c90cade56
3status: test
4description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
5references:
6 - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
7author: Hieu Tran
8date: 2023-03-13
9tags:
10 - attack.defense-evasion
11 - attack.t1112
12logsource:
13 category: registry_event
14 product: windows
15detection:
16 selection:
17 TargetObject|endswith: '\Software\firm\soft\Name'
18 condition: selection
19falsepositives:
20 - Unknown
21level: high
References
-
Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry