Adversaries are modifying registry entries to establish persistence and execute Qakbot malware, which is used to steal login credentials from financial services. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential ransomware and credential theft campaigns early.
KQL Query
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where InitiatingProcessFileName == "explorer.exe"
| where RegistryValueData has @"AppData\Roaming\Microsoft" and
RegistryValueData has "$windowsupdate"
| where RegistryKey has @"CurrentVersion\Run"
| project RegistryKey, RegistryValueData, DeviceId, Timestamp
id: 3f305589-cde2-4509-8204-63cb2a00117c
name: qakbot-campaign-registry-edit
description: |
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects registry entries that may indicate that an operator is trying to establish persistence for the Qakbot binary.
Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
tactics:
- Persistence
query: |
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where InitiatingProcessFileName == "explorer.exe"
| where RegistryValueData has @"AppData\Roaming\Microsoft" and
RegistryValueData has "$windowsupdate"
| where RegistryKey has @"CurrentVersion\Run"
| project RegistryKey, RegistryValueData, DeviceId, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled job runs a script that modifies the Windows registry, which could trigger the rule.
Filter/Exclusion: Exclude registry modifications made by Task Scheduler tasks with the Microsoft or System publisher.
Example Filter: process.parent_process_name == "schtasks.exe" && process.parent_process_publisher == "Microsoft Corporation"
Scenario: Admin Task – Registry Cleanup
Description: An administrator uses regedit.exe or reg.exe to clean up old registry entries, which may match the rule’s registry modification patterns.
Filter/Exclusion: Exclude registry edits made by regedit.exe or reg.exe when the user is a domain admin or has a known cleanup task.
Example Filter: process.name == "regedit.exe" && user.domain == "DOMAIN" && event_id == "RegistryCleanup"
Scenario: Software Installation via Group Policy
Description: A group policy update deploys software that modifies the registry, which could be flagged by the rule.
Filter/Exclusion: Exclude registry changes made by gpupdate.exe or GroupPolicy processes.
Example Filter: process.name == "gpupdate.exe" || process.name == "GroupPolicy"
Scenario: Database Backup Script Modifying Registry
Description: A database backup script (e.g., sqlbackup.exe) modifies the registry to configure backup paths or settings.
Filter/Exclusion: Exclude registry modifications made by database tools like sqlbackup.exe or sqlcmd.exe.
Example Filter: process.name == "sqlbackup.exe" || process.name == "sqlcmd.exe"
Scenario: Windows Update or Patching Process
Description: Windows Update or patching processes may modify