Detection rules › Kusto Query Language
Qakbot Discovery Activies
This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
| Defense Evasion | T1140 Deobfuscate/Decode Files or Information |
| Discovery | T1010 Application Window Discovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | 9001000 | Process activity (any) |
Stages and Predicates
Stage 1: source
DeviceProcessEvents
Stage 2: where
InitiatingProcessFileName in ["explorer.exe", "mobsync.exe"]
Stage 3: where
or
and
FileName eq "arp.exe"
InitiatingProcessCommandLine match "-a"
and
FileName eq "net.exe"
InitiatingProcessCommandLine match ["view", "/all"]
and
FileName eq "netstat.exe"
InitiatingProcessCommandLine match "-nao"
and
FileName eq "nslookup.exe"
InitiatingProcessCommandLine match ["querytype=ALL", "timeout=10"]
and
FileName eq "ping.exe"
InitiatingProcessCommandLine ends_with "127.0.0.1"
InitiatingProcessCommandLine match "-t"
and
FileName eq "whoami.exe"
InitiatingProcessCommandLine match "/all"
Stage 4: summarize
Stage 5: where
DiscoveryCommands ge "3"
Stage 6: extend
Stage 7: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DiscoveryCommands | ge |
|
FileName | eq |
|
InitiatingProcessCommandLine | ends_with |
|
InitiatingProcessCommandLine | match |
|
InitiatingProcessFileName | in |
|