title: QBot Process Creation id: 4fcac6eb-0287-4090-8eea-2602e4c20040 status: experimental description: Detects QBot like process executions author: Florian Roth date: 2019/10/01 modified: 2020/09/01 tags: - attack.execution - attack.t1059.005 - attack.defense_evasion # an old one - attack.t1064 # an old one references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ logsource: category: process_creation product: windows detection: selection1: ParentImage|endswith: '\WinRAR.exe' Image|endswith: '\wscript.exe' selection2: CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' condition: selection1 or selection2 fields: - CommandLine - ParentCommandLine falsepositives: - Unlikely level: critical