Qakbot Discovery Activies

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Defender XDR
ID	ba9db6b2-3d05-42ae-8aee-3a15bbe29f27
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	DefenseEvasion, Discovery, Execution
Techniques	T1140, T1010, T1059
Required Connectors	MicrosoftThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
DeviceProcessEvents	InitiatingProcessCommandLine endswith "127.0.0.1" InitiatingProcessCommandLine has "-a" InitiatingProcessCommandLine has "-nao" InitiatingProcessCommandLine has "-t" InitiatingProcessCommandLine has "/all" InitiatingProcessFileName in "explorer.exe,mobsync.exe"	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Microsoft Defender XDR