QBot scheduled task REGSVR32 with C$ image path
Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field
Sigma rule (View on GitHub)
1title: QBot scheduled task REGSVR32 with C$ image path
2id: 014da553-5727-4e47-9544-56da83b3eb6f
3description: Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field
4status: test
5author: tas_kmanager, TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
8date: 2022-02-06
9modified: 2023-01-08
10logsource:
11 product: windows
12 service: system
13detection:
14 selection:
15 Provider_Name: 'Service Control Manager'
16 EventID: 7045
17 ImagePath|contains|all:
18 - 'regsvr32.exe'
19 - 'C$'
20 condition: selection
21level: high
22falsepositives:
23 - low
24tags:
25 - attack.persistence
26 - attack.privilege_escalation
27 - attack.t1053.005
References
-
In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment while stealing browser information and emails.
Read More
Related rules
- QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line
- Important Scheduled Task Deleted/Disabled
- Scheduled Task Creation Via Schtasks.EXE
- Uncommon One Time Only Scheduled Task At 00:00
- Diamond Sleet APT Scheduled Task Creation