Qakbot

Date: 2022-10-20 ID: 0ced1e29-5390-4a9a-bd97-6a09cb604a0d Author: Teoderick Contreras, Splunk Environment: attack_range Directory: qakbot

Description

Generated datasets for qakbot in attack range.

No MITRE techniques specified for this dataset.

The following datasets were collected during this attack simulation:

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Windows DLL Side-Loading In Calc	`TTP`	Endpoint	T1574.001	Qakbot, Earth Alux
Windows Modify Registry Qakbot Binary Data Registry	`Anomaly`	Endpoint	T1112	Qakbot
Windows DLL Side-Loading Process Child Of Calc	`Anomaly`	Endpoint	T1574.001	Qakbot, Earth Alux
Windows App Layer Protocol Qakbot NamedPipe	`Anomaly`	Endpoint	T1071	Qakbot
Windows Masquerading Explorer As Child Process	`TTP`	Endpoint	T1574.001	Qakbot, Compromised Windows Host, Water Gamayun
Windows Regsvr32 Renamed Binary	`TTP`	Endpoint	T1218.010	Qakbot, Compromised Windows Host
Windows List ENV Variables Via SET Command From Uncommon Parent	`Anomaly`	Endpoint	T1055	Qakbot
Windows Process Injection Wermgr Child Process	`Anomaly`	Endpoint	T1055	Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
Windows App Layer Protocol Wermgr Connect To NamedPipe	`Anomaly`	Endpoint	T1071	Qakbot
Windows Process Injection Remote Thread	`TTP`	Endpoint	T1055.002	Qakbot, Graceful Wipe Out Attack, Warzone RAT, Earth Alux, Water Gamayun
Windows Process Injection Of Wermgr to Known Browser	`TTP`	Endpoint	T1055.001	Qakbot

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/malware/qakbot/sysmon.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0