Query Details

Detect when multiple Qakbot post compromise commands have been executed

Qakbot Post Compromise Commands Executed

Query

let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312
DeviceProcessEvents
| where ProcessCommandLine has_any(QakBotCommands)
| summarize TotalCommandsFound = count(), CommandLineList = make_set(ProcessCommandLine) by DeviceName, AccountName
| extend TotalUniqueCommandsFound = array_length(CommandLineList)
| where TotalUniqueCommandsFound > 3 // Adjust to reduce false positives
| sort by TotalUniqueCommandsFound, TotalCommandsFound

About this query

Detect when multiple Qakbot post compromise commands have been executed

Query Information

Description

Detect when multiple Qakbot post compromise commands have been executed.

Defender XDR

Sentinel

let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312
DeviceProcessEvents
| where ProcessCommandLine has_any(QakBotCommands)
| summarize TotalCommandsFound = count(), CommandLineList = make_set(ProcessCommandLine) by DeviceName, AccountName
| extend TotalUniqueCommandsFound = array_length(CommandLineList)
| where TotalUniqueCommandsFound > 3 // Adjust to reduce false positives
| sort by TotalUniqueCommandsFound, TotalCommandsFound

Explanation

This query is designed to detect suspicious activity related to the Qakbot malware by identifying when multiple specific commands, often used post-compromise, are executed on a device. Here's a simple breakdown of what the query does:

  1. Define Qakbot Commands: It starts by defining a list of commands that are commonly associated with Qakbot's post-compromise activities. These include network and system information gathering commands like net view, ipconfig /all, arp -a, etc.

  2. Search for Command Execution: The query looks through device process events to find instances where any of these commands have been executed.

  3. Summarize Findings: For each device and user account, it counts the total number of these commands found and compiles a list of the unique commands executed.

  4. Filter for Multiple Commands: It then filters the results to show only those instances where more than three unique Qakbot-related commands have been executed. This helps reduce false positives by focusing on cases with multiple suspicious activities.

  5. Sort Results: Finally, it sorts the results by the number of unique commands found and the total number of commands executed, prioritizing the most suspicious cases.

This query is useful for security analysts to identify potential Qakbot infections by highlighting devices and accounts that have executed multiple commands associated with the malware's behavior.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsAccountNameCommandLine

Operators

letdynamichas_anysummarizecountmake_setbyextendarray_lengthwheresort

Actions

GitHub