SigmaHQ/rules/windows/process_creation/win_malware_qbot.yml

32 lines
843 B
YAML

title: QBot Process Creation
id: 4fcac6eb-0287-4090-8eea-2602e4c20040
status: experimental
description: Detects QBot like process executions
author: Florian Roth
date: 2019/10/01
modified: 2020/09/01
tags:
- attack.execution
- attack.t1059.005
- attack.defense_evasion # an old one
- attack.t1064 # an old one
references:
- https://twitter.com/killamjr/status/1179034907932315648
- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage: '*\WinRAR.exe'
Image: '*\wscript.exe'
selection2:
CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
condition: selection1 or selection2
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unlikely
level: critical