Excel instances launching processes associated with Qakbot malware indicate potential compromise through document-based exploitation, as these processes are commonly used to execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage Qakbot infections before lateral movement and data exfiltration occur.
KQL Query
DeviceProcessEvents
| where InitiatingProcessParentFileName has "excel.exe" or InitiatingProcessFileName =~ "excel.exe"
| where InitiatingProcessFileName in~ ("excel.exe","regsvr32.exe")
| where FileName in~ ("regsvr32.exe", "rundll32.exe")| where ProcessCommandLine has @"..\"
id: f387a52b-a1c3-43dc-b4cf-e6cbf895a3da
name: Excel launching anomalous processes
description: |
Use this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions.
The presence of such anomalous processes indicate that the payload was delivered and executed, though reconnaissance and successful implantation hasn't been completed yet.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where InitiatingProcessParentFileName has "excel.exe" or InitiatingProcessFileName =~ "excel.exe"
| where InitiatingProcessFileName in~ ("excel.exe","regsvr32.exe")
| where FileName in~ ("regsvr32.exe", "rundll32.exe")| where ProcessCommandLine has @"..\"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Excel macro execution for report generation
Description: A legitimate scheduled job runs an Excel macro to generate daily reports, which may trigger the rule due to Excel launching a process.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.parent_process_path:"C:\\Windows\\System32\\schtasks.exe"
Scenario: Admin using Excel to launch a PowerShell script for system maintenance
Description: An administrator uses Excel to invoke a PowerShell script for routine system maintenance, which may be flagged as anomalous process launching.
Filter/Exclusion: process.name:"powershell.exe" and process.parent_process_name:"EXCEL.EXE" with a whitelisted script path.
Scenario: Excel used to open a legitimate third-party application
Description: Excel is used to open a trusted third-party application (e.g., Adobe Acrobat, Microsoft Visio) as part of a workflow, which may be flagged as anomalous.
Filter/Exclusion: process.name:"AcroRd32.exe" or process.name:"Visio.exe" with a known trusted path.
Scenario: Excel macro used for data import from a database
Description: A macro in Excel is used to import data from a database (e.g., SQL Server) using ODBC or similar tools, which may trigger the rule due to process launching.
Filter/Exclusion: process.name:"sqlcmd.exe" or process.name:"odbcex.dll" with a known database connection path.
Scenario: Excel used to launch a legitimate system diagnostic tool
Description: Excel is used to launch a system diagnostic or monitoring tool (e.g., PerfMon, Process Explorer) for troubleshooting, which may be flagged as anomalous.
Filter/Exclusion: `process.name:”