Rule Library
Sigma Rules
5 rules found for "Qakbot"
3,731Total
3,132Detection
457Emerging
139Hunting
Emerging Threathightest
Qakbot Regsvr32 Calc Pattern
Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
WindowsProcess Creation
Nasreddine Bencherchali (Nextron Systems)Fri May 262023
Emerging Threathightest
Potential Qakbot Rundll32 Execution
Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
WindowsProcess Creation
X__Junior (Nextron Systems)Wed May 242023
Emerging Threatcriticaltest
Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
WindowsProcess Creation
X__Junior (Nextron Systems)Wed May 242023
Emerging Threatcriticaltest
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
WindowsProcess Creation
X__Junior (Nextron Systems)+1Wed May 242023
Emerging Threathightest
Qakbot Uninstaller Execution
Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
WindowsProcess Creation
Florian Roth (Nextron Systems)Thu Aug 312023