The Qakbot reconnaissance activities detected indicate an adversary is gathering system information and establishing command and control communication to exfiltrate data after successful code injection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Qakbot-related threats before they escalate to data exfiltration or lateral movement.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName == InitiatingProcessCommandLine
| where ProcessCommandLine has_any (
"whoami /all","cmd /c set","arp -a","ipconfig /all","net view /all","nslookup -querytype=ALL -timeout=10",
"net share","route print","netstat -nao","net localgroup")
| summarize dcount(FileName), make_set(ProcessCommandLine) by DeviceId,bin(Timestamp, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_FileName >= 8
id: 2faad0ef-63f4-40aa-98e8-b713d9a8b3f7
name: Qakbot reconnaissance activities
description: |
Use this query to find reconnaissance and beaconing activities after code injection occurs.
Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltrate system information. This data, once exfiltrated, will be used to prioritize human operated actions.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Discovery
query: |
DeviceProcessEvents
| where InitiatingProcessFileName == InitiatingProcessCommandLine
| where ProcessCommandLine has_any (
"whoami /all","cmd /c set","arp -a","ipconfig /all","net view /all","nslookup -querytype=ALL -timeout=10",
"net share","route print","netstat -nao","net localgroup")
| summarize dcount(FileName), make_set(ProcessCommandLine) by DeviceId,bin(Timestamp, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_FileName >= 8
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: Legitimate system maintenance scripts (e.g., schtasks.exe or Task Scheduler) may execute commands that resemble reconnaissance, such as querying system information or checking network connectivity.
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler by checking the process name in the event or process tree.
Scenario: PowerShell Remoting for Admin Tasks
Description: Administrators may use PowerShell remoting (powershell.exe -Command) to perform routine system checks, which can include commands that look like reconnaissance (e.g., Test-NetConnection, Get-NetTCPConnection).
Filter/Exclusion: Filter out PowerShell commands executed by known admin accounts or within specific PowerShell modules used for legitimate administrative tasks.
Scenario: Network Discovery via Netsh or Nmap
Description: Network discovery tools like nmap or netsh may be used by IT staff to map internal network topology, which can trigger similar command patterns to Qakbot reconnaissance.
Filter/Exclusion: Exclude processes initiated by network discovery tools or by users with network administration privileges.
Scenario: Database Querying for Compliance Audits
Description: Database administrators may run SQL queries to check for compliance or system health, which could include commands that resemble exfiltration or reconnaissance.
Filter/Exclusion: Filter out SQL queries executed by known DBA accounts or within specific database management tools like sqlcmd or SSMS.
Scenario: Antivirus or Endpoint Protection Scanning
Description: Antivirus tools like Microsoft Defender or Kaspersky may perform system scans that include checking for suspicious processes or network connections, which can trigger false positives.
Filter/Exclusion: Exclude processes associated with known antivirus or endpoint protection software by