Merge pull request #198 from martyav/qakbot

Qakbot

Author: tali-ash

Defense evasion/qakbot-campaign-process-injection.md

@@ -0,0 +1,52 @@
+# Process injection by Qakbot malware
+
+This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
+
+[Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also).
+
+The following query detects if Qakbot has injected code into the *ping.exe* process, to evade security and access credentials.
+
+## Query
+
+```Kusto
+DeviceProcessEvents
+| where FileName == "esentutl.exe"
+| where ProcessCommandLine has "WebCache"
+| where ProcessCommandLine has_any ("V01", "/s", "/d")
+| project ProcessCommandLine, InitiatingProcessParentFileName, 
+DeviceId, Timestamp
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access | v |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-self-deletion.md)
+* [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-registry-edit.md)
+* [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md)
+* [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md)
+* [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Defense evasion/qakbot-campaign-self-deletion.md

@@ -0,0 +1,54 @@
+# Self-deletion by Qakbot malware
+
+This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
+
+[Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also).
+
+The following query detects if an instance of Qakbot has attempted to overwrite its original binary.
+
+## Query
+
+```Kusto
+DeviceProcessEvents 
+| where FileName =~ "ping.exe"
+| where InitiatingProcessFileName =~ "cmd.exe"
+| where InitiatingProcessCommandLine has "calc.exe" and
+InitiatingProcessCommandLine has "-n 6" 
+and InitiatingProcessCommandLine has "127.0.0.1"
+| project ProcessCommandLine, InitiatingProcessCommandLine,
+InitiatingProcessParentFileName, DeviceId, Timestamp
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-registry-edit.md)
+* [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md)
+* [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md)
+* [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md)
+* [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Discovery/qakbot-campaign-esentutl.md

@@ -0,0 +1,52 @@
+# Browser cookie theft by campaigns using Qakbot malware
+
+This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
+
+[Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also).
+
+The following query detects possible use of the system process, *esentutl.exe*, to look through a user's browser history and steal cookies.
+
+## Query
+
+```Kusto
+DeviceProcessEvents
+| where FileName == "esentutl.exe"
+| where ProcessCommandLine has "WebCache"
+| where ProcessCommandLine has_any ("V01", "/s", "/d")
+| project ProcessCommandLine, 
+InitiatingProcessParentFileName, DeviceId, Timestamp
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access | v |  |
+| Discovery | v |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-self-deletion.md)
+* [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md)
+* [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-registry-edit.md)
+* [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md)
+* [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Discovery/qakbot-campaign-outlook.md

@@ -0,0 +1,51 @@
+# Outlook email access by campaigns using Qakbot malware
+
+This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
+
+[Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also).
+
+The following query detects attempts to access files in the local path that contain Outlook emails.
+
+## Query
+
+```Kusto
+DeviceFileEvents
+| where FolderPath hasprefix "EmailStorage"
+| where FolderPath has "Outlook"
+| project FileName, FolderPath, InitiatingProcessFileName,
+InitiatingProcessCommandLine, DeviceId, Timestamp
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery | v |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-self-deletion.md)
+* [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md)
+* [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-registry-edit.md)
+* [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md)
+* [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Execution/qakbot-campaign-suspicious-javascript.md

@@ -0,0 +1,53 @@
+# Javascript use by Qakbot malware
+
+This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
+
+[Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also).
+
+The following query detects possible attempts by Qakbot to execute malicious Javascript code.
+
+## Query
+
+```Kusto
+DeviceProcessEvents
+| where InitiatingProcessFileName == "cmd.exe"
+| where FileName == "cscript.exe"
+| where InitiatingProcessCommandLine has "start /MIN"
+| where ProcessCommandLine has "E:javascript"
+| project ProcessCommandLine, 
+InitiatingProcessCommandLine, DeviceId, Timestamp
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-self-deletion.md)
+* [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md)
+* [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-registry-edit.md)
+* [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md)
+* [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Persistence/qakbot-campaign-registry-edit.md

@@ -0,0 +1,53 @@
+# Registry edits by campaigns using Qakbot malware
+
+This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
+
+[Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also).
+
+The following query detects registry entries that may indicate that an operator is trying to establish persistence for the Qakbot binary.
+
+## Query
+
+```Kusto
+DeviceRegistryEvents
+| where ActionType == "RegistryValueSet"
+| where InitiatingProcessFileName == "explorer.exe"
+| where RegistryValueData has @"AppData\Roaming\Microsoft" and
+RegistryValueData has "$windowsupdate"
+| where RegistryKey has @"CurrentVersion\Run"
+| project RegistryKey, RegistryValueData, DeviceId, Timestamp
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence | v |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-self-deletion.md)
+* [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md)
+* [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md)
+* [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md)
+* [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team