Potential Qakbot Registry Activity
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
Sigma rule (View on GitHub)
1title: Potential Qakbot Registry Activity
2id: 1c8e96cd-2bed-487d-9de0-b46c90cade56
3status: test
4description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
5references:
6 - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
7author: Hieu Tran
8date: 2023/03/13
9tags:
10 - attack.defense_evasion
11 - attack.t1112
12logsource:
13 category: registry_event
14 product: windows
15detection:
16 selection:
17 TargetObject|endswith: '\Software\firm\soft\Name'
18 condition: selection
19falsepositives:
20 - Unknown
21level: high
References
-
Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.
Read More
Related rules
- OilRig APT Schedule Task Persistence - System
- NetNTLM Downgrade Attack - Registry
- Potential NetWire RAT Activity - Registry
- Potential Suspicious Registry File Imported Via Reg.EXE
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE