The Qakbot-injected processes accessing lsass.exe for credentials can be detected using the query below. Fig: Qakbot Injected msra.exe accessing lsass.exe
#OSQUERY WINDOWS EXAMPLES CODE#
Qakbot then attempts to inject code into a preselected list of processes to evade detection and target LSASS through an injected process to gain credentials. The following query can be utilized to detect scheduled tasks that create a system user and registers a DLL. "schtasks.exe" /Create /RU "NT AUTHORITYSYSTEM" /tn This is achieved by creating a SYSTEM user account which is used to perform the task. Qakbot establishes persistence by creating a scheduled task that registers the Qakbot DLL to execute with elevated privileges. Once the Qakbot DLL was loaded into the targeted machine, the following behaviors were observed. OR image_loaded NOT LIKE 'C:WindowsSysWOW64%' Image_loaded NOT LIKE 'C:WindowsSystem32%' Json_extract(data,'$.EventData.ImageLoaded') as image_loaded Json_extract(data,'$.EventData.ProcessId') as process_pid, Json_extract(data,'$.EventData.Image') as process_name, Using osquery, the calculator loading DLLs from unusual file paths can be detected.
#OSQUERY WINDOWS EXAMPLES ISO#
Upon opening the HTML file, the JavaScript code gets executed within the browser dropping an ISO image file.Īfter user clicks on the shortcut file from the mounted drive, the LNK file initiates the execution of hidden Windows 7 calculator and side-loading of Qakbot DLL. 'curl.exe', 'scriptrunner.exe', 'certoc.exe', 'workfolders.exe', 'odbcconf.exe', 'msiexec.exe', 'msdt.exe'īased on our observation, Qakbot malware is also being distributed via emails with HTML attachments containing malicious JavaScript code in HTML5 attributes. 'msxsl.exe', 'ieexec.exe', 'cmd.exe', 'powershell.exe', 'hh.exe', 'javaw.exe', 'pcalua.exe', 'schtasks.exe', 'wmic.exe', 'WmiPrvSE.exe', 'cscript.exe', 'wscript.exe', 'rundll32.exe', 'regsvr32.exe', 'bitsadmin.exe', 'certutil.exe', 'installutil.exe', Process_cmdline LIKE '%\AppData\Local\Temp\OneNote\%' SELECTĪND LOWER(parent_process_name) = 'onenote.exe' The following osquery detects the creation of suspicious child process on execution of the script in the OneNote attachment. For more information refer to our blog on OneNote campaign.įig: Dragging button reveal embedded files However, the concealed script executes and retrieves a malicious DLL file from a hardcoded URL. The attacker entices the victim to click on a button labeled as “Decrypt and View Message” or “Double Click to View File” within an attachment. OneNote Campaignįollowing Microsoft’s decision to block macros, threat actors behind Qakbot resorted to email thread hijacking using a malicious OneNote document for wide-scale distribution by embedding scripts like JSE, CHM, HTA, MSF & BAT in the attachment. NOTE: Further analysis is required to determine whether the WSF file exhibits any malicious behavior. SELECTĪND LOWER(name) IN ('wscript.exe','cscript.exe') The following query can be used to detect the launching of a WSF file. wsf file, the embedded JavaScript code will launch wscript which in turn downloads the Qakbot DLL.
wsf files via spam mail as part of their campaign.
#OSQUERY WINDOWS EXAMPLES ARCHIVE#
The Qakbot threat actors are distributing an archive file containing. The information returned in the data column will be JSON formatted, which will require additional parsing.Fig: Qakbot’s Progression Windows Script File (WSF) Campaign.This is not an evented table - instead, it pulls directly from the local system's existing eventlogs.SELECT datetime,computer_name,data FROM windows_eventlog WHERE eventid=4720 AND channel='Security'" 4728: Added to a security-enabled global group.
There are many other relevant EventIDs that should be monitored as well: This query lists all Windows Eventlogs from the Security channel with an EventID of 4720 - A user account was created. Tracking user account changes is a key part of both detection & incident response. Process ID which emitted the event record Hostname of system where event was generatedĪ bitmask of the keywords defined in the event
0 kommentar(er)
