KQL Search

Query Details

HomeAI ToolsDevice Query

Qakbot Post Compromise Commands Executed

Query

# Detect when multiple Qakbot post compromise commands have been executed

### Defender For Endpoint

```
let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312
DeviceProcessEvents
| where ProcessCommandLine has_any(QakBotCommands)
| summarize TotalCommandsFound = count(), CommandLineList = make_set(ProcessCommandLine) by DeviceName, AccountName
| extend TotalUniqueCommandsFound = array_length(CommandLineList)
| where TotalUniqueCommandsFound > 3 // Adjust to reduce false positives
| sort by TotalUniqueCommandsFound, TotalCommandsFound
```
### Sentinel
```
let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312
DeviceProcessEvents
| where ProcessCommandLine has_any(QakBotCommands)
| summarize TotalCommandsFound = count(), CommandLineList = make_set(ProcessCommandLine) by DeviceName, AccountName
| extend TotalUniqueCommandsFound = array_length(CommandLineList)
| where TotalUniqueCommandsFound > 3 // Adjust to reduce false positives
| sort by TotalUniqueCommandsFound, TotalCommandsFound
```

Explanation

The query is looking for instances where multiple Qakbot post-compromise commands have been executed. It searches for specific commands in the process command line and counts the total number of commands found for each device and account. It also identifies the total number of unique commands found. The query then filters for cases where the total unique commands found is greater than 3 and sorts the results based on the total unique commands and total commands found.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 6, 2023

Tables

DeviceProcessEvents

Keywords

Devices,Intune,User

Operators

has_anysummarizecountmake_setextendarray_lengthwheresort by

Actions