Detect when multiple Qakbot post compromise commands have been executed
Qakbot Post Compromise Commands Executed
Query
let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312
DeviceProcessEvents
| where ProcessCommandLine has_any(QakBotCommands)
| summarize TotalCommandsFound = count(), CommandLineList = make_set(ProcessCommandLine) by DeviceName, AccountName
| extend TotalUniqueCommandsFound = array_length(CommandLineList)
| where TotalUniqueCommandsFound > 3 // Adjust to reduce false positives
| sort by TotalUniqueCommandsFound, TotalCommandsFoundAbout this query
Detect when multiple Qakbot post compromise commands have been executed
Query Information
Description
Detect when multiple Qakbot post compromise commands have been executed.
Defender XDR
Sentinel
let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312
DeviceProcessEvents
| where ProcessCommandLine has_any(QakBotCommands)
| summarize TotalCommandsFound = count(), CommandLineList = make_set(ProcessCommandLine) by DeviceName, AccountName
| extend TotalUniqueCommandsFound = array_length(CommandLineList)
| where TotalUniqueCommandsFound > 3 // Adjust to reduce false positives
| sort by TotalUniqueCommandsFound, TotalCommandsFound
Explanation
This query is designed to detect suspicious activity related to the Qakbot malware by identifying when multiple specific commands, often used post-compromise, are executed on a device. Here's a simple breakdown of what the query does:
-
Define Qakbot Commands: It starts by defining a list of commands that are commonly associated with Qakbot's post-compromise activities. These include network and system information gathering commands like
net view,ipconfig /all,arp -a, etc. -
Search for Command Execution: The query looks through device process events to find instances where any of these commands have been executed.
-
Summarize Findings: For each device and user account, it counts the total number of these commands found and compiles a list of the unique commands executed.
-
Filter for Multiple Commands: It then filters the results to show only those instances where more than three unique Qakbot-related commands have been executed. This helps reduce false positives by focusing on cases with multiple suspicious activities.
-
Sort Results: Finally, it sorts the results by the number of unique commands found and the total number of commands executed, prioritizing the most suspicious cases.
This query is useful for security analysts to identify potential Qakbot infections by highlighting devices and accounts that have executed multiple commands associated with the malware's behavior.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators