QBot scheduled task REGSVR32 with C$ image path
Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field
Sigma rule (View on GitHub)
1title: QBot scheduled task REGSVR32 with C$ image path
2id: 014da553-5727-4e47-9544-56da83b3eb6f
3description: Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field
4status: test
5author: tas_kmanager, TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
8date: 2022-02-06
9modified: 2023-01-08
10logsource:
11 product: windows
12 service: system
13detection:
14 selection:
15 Provider_Name: 'Service Control Manager'
16 EventID: 7045
17 ImagePath|contains|all:
18 - 'regsvr32.exe'
19 - 'C$'
20 condition: selection
21level: high
22falsepositives:
23 - low
24tags:
25 - attack.persistence
26 - attack.privilege-escalation
27 - attack.t1053.005
References
-
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary I…
Read More
Related rules
- QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line
- Kapeka Backdoor Scheduled Task Creation
- Diamond Sleet APT Scheduled Task Creation
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Important Scheduled Task Deleted/Disabled