Emerging Threatcriticaltest

Qakbot Rundll32 Exports Execution

Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

X__Junior (Nextron Systems)Created Wed May 24Updated Tue May 30339ed3d6-5490-46d0-96a7-8abe33078f582023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_paths:
        ParentImage|endswith:
            # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
            - '\cmd.exe'
            - '\cscript.exe'
            - '\curl.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
            - ':\ProgramData\'
            - ':\Users\Public\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    selection_exports:
        CommandLine|endswith:
            # Note: Only add additional exports seen used by Qakbot
            - 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report
            - 'bind'
            - 'DrawThemeIcon'
            - 'GG10'
            - 'GL70'
            - 'jhbvygftr'
            - 'kjhbhkjvydrt'
            - 'LS88'
            - 'Motd'
            - 'N115'
            - 'next' # https://tria.ge/230530-n3rxpahf9w/behavioral2
            - 'Nikn'
            - 'print'
            - 'qqqb'
            - 'qqqq'
            - 'RS32'
            - 'Test'
            - 'Time'
            - 'Updt'
            - 'vips'
            - 'Wind'
            - 'WW50'
            - 'X555'
            - 'XL55'
            - 'xlAutoOpen'
            - 'XS88'
    condition: all of selection_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0002 · Execution

Other

detection.emerging-threats

Rule Metadata

Rule ID

339ed3d6-5490-46d0-96a7-8abe33078f58

Status

test

Level

critical

Type

Emerging Threat

Created

Wed May 24

Modified

Tue May 30

Author

X__Junior (Nextron Systems)

Path

rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml

Raw Tags

attack.defense-evasionattack.executiondetection.emerging-threats

View on GitHub