Potential Qbot SMB DLL Lateral Movement
Detection of potential us of SMB to transfer DLL's into the C$ folder of hosts unique to Qbot malware for purposes of lateral movement.
Sigma rule (View on GitHub)
1title: Potential Qbot SMB DLL Lateral Movement
2id: 3eaa2cee-2dfb-46e9-98f6-3782aab30f38
3status: experimental
4description: Detection of potential us of SMB to transfer DLL's into the C$ folder of hosts unique to Qbot malware for purposes of lateral movement.
5author: TheDFIRReport
6date: 2022-09-12
7modified: 2024-02-23
8references:
9 - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
10logsource:
11 product: zeek
12 service: smb_files
13detection:
14 selection:
15 zeek_smb_files_path|endswith: 'C$'
16 file_name|endswith: '\.dll.cfg'
17 condition: selection
18falsepositives:
19 - RMM Tools and Administrative activities in C$ Share.
20level: medium
21tags:
22 - attack.lateral-movement
23 - attack.t1570
References
-
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also k…
Read More
Related rules
- Potential SMB DLL Lateral Movement
- Cicada Ransomware PSExec File Creation
- Metasploit Or Impacket Service Installation Via SMB PsExec
- PSEXEC Remote Execution File Artefact
- Rundll32 Execution Without Parameters