Qakbot email theft (1) | SOC Hunt Feed

Hunt Hypothesis

Adversaries are leveraging Qakbot to steal email credentials by exfiltrating sensitive data from compromised mailboxes. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage email theft campaigns before data is exfiltrated.

KQL Query

DeviceFileEvents
| where InitiatingProcessFileName =~ 'ping.exe' and InitiatingProcessCommandLine == 'ping.exe -t 127.0.0.1'
    and InitiatingProcessParentFileName in~('msra.exe', 'mobsync.exe') and FolderPath endswith ".eml"

Analytic Rule Definition

id: a5c3ebdf-e427-4b1b-985e-c1f1e20067b7
name: Qakbot email theft (1)
description: |
  Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions.
  Email theft that occurs might be exfiltrated to operators and indicates that the malware completed a large portion of its automated activity without interruption.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Collection
query: |
  DeviceFileEvents
  | where InitiatingProcessFileName =~ 'ping.exe' and InitiatingProcessCommandLine == 'ping.exe -t 127.0.0.1'
      and InitiatingProcessParentFileName in~('msra.exe', 'mobsync.exe') and FolderPath endswith ".eml"

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Collection

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/Qakbot email theft (1).yaml)

False Positive Guidance

Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using wbadmin or vssadmin is executed, which may trigger the detection due to similar command-line activity.
Filter/Exclusion: Exclude processes initiated by wbadmin or vssadmin with scheduled task IDs or paths containing backup or system.
Scenario: Admin Task for Email Archiving
Description: An administrator runs a PowerShell script using Out-Email or Send-MailMessage to archive emails, which may resemble email theft behavior.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges and containing keywords like archive, backup, or mailserver.
Scenario: Database Export Using SQL Server Agent
Description: A SQL Server Agent job exports data to an email server using sqlcmd or bcp, which may be flagged as suspicious email activity.
Filter/Exclusion: Exclude processes involving sqlcmd, bcp, or SQL Server Agent jobs with export-related command-line arguments.
Scenario: Email Reporting Tool Usage
Description: A legitimate email reporting tool like Microsoft Exchange Online Protection or Microsoft 365 Message Trace is used to generate reports, which may trigger the rule due to email-related commands.
Filter/Exclusion: Exclude processes initiated by the Exchange admin or with command-line arguments containing report, trace, or message.
Scenario: User-Initiated Email Forwarding
Description: A user manually forwards emails using Outlook or PowerShell scripts, which may be flagged due to email handling activity.
Filter/Exclusion: Exclude processes initiated by non-admin users with command-line arguments containing forward, send, or email.