title: QBot Process Creation
id: 4fcac6eb-0287-4090-8eea-2602e4c20040
status: experimental
description: Detects QBot like process executions
author: Florian Roth
date: 2019/10/01
references:
    - https://twitter.com/killamjr/status/1179034907932315648
    - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage: '*\WinRAR.exe'
        Image: '*\wscript.exe'
    selection2:
        CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
    condition: selection1 or selection2
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unlikely
level: critical