Injected processes associated with Qakbot are executing discovery activities to identify network resources, indicating potential lateral movement and ransomware capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage Qakbot infections and prevent ransomware propagation.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where DiscoveryCommands >= 3
id: 4c290208-c36d-4e57-8d6d-f7e790dc0d3f
name: Qakbot discovery activies
description: |
Use this query to locate injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and InitiatingProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and InitiatingProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and InitiatingProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and InitiatingProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and InitiatingProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where DiscoveryCommands >= 3
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Windows Update or Group Policy Client
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "gpsvc.exe"
Scenario: Scheduled job running PowerShell to gather system information for compliance or audit purposes
Filter/Exclusion: process.name != "powershell.exe" or process.args not contains "Get-ChildItem" or process.args not contains "Get-Service"
Scenario: Admin task using Task Scheduler to run a legitimate system inventory tool like Sysinternals Process Explorer
Filter/Exclusion: process.name != "taskhost.exe" or process.name != "procexp.exe"
Scenario: Security tool or endpoint protection software performing a scan, such as Microsoft Defender or CrowdStrike Falcon
Filter/Exclusion: process.name != "MsMpEng.exe" or process.name != "falcon.exe"
Scenario: Database backup or maintenance job using SQL Server Agent or MySQL Workbench
Filter/Exclusion: process.name != "sqlservr.exe" or process.name != "mysql.exe" or process.args contains "backup" or process.args contains "maintenance"