Detectionmediumtest
Esentutl Steals Browser Information
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: 'esentutl.exe'
selection_flag:
CommandLine|contains|windash: '-r'
selection_webcache:
CommandLine|contains: '\Windows\WebCache'
condition: all of selection*False Positives
Legitimate use
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
6a69f62d-ce75-4b57-8dce-6351eb55b362
Status
test
Level
medium
Type
Detection
Created
Sun Feb 13
Modified
Tue Mar 05
Author
Path
rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml
Raw Tags
attack.collectionattack.t1005