Been on a few IR engagements that involves Qakbot. I've been using the 'Microsoft-Windows-VHDMP' ETW Provider to hunt for Qakbot activities on a large scale of systems. %LOCALAPPDATA%\Temp that contains a ZIP starting with Temp1_* or some random .ISO file is a good indicator. Tweet added by DebugPrivilege @DebugPrivilege

DebugPrivilege

2 years

Been on a few IR engagements that involves Qakbot. I've been using the 'Microsoft-Windows-VHDMP' ETW Provider to hunt for Qakbot activities on a large scale of systems. %LOCALAPPDATA%\Temp that contains a ZIP starting with Temp1_* or some random .ISO file is a good indicator.

5

35

157

Matthew Green 🌻

@mgreen27

2 years

@DebugPrivilege We added this artifact to @velocidex to pull from this log any image mounts from Users\** Filter obvious legit images and stack for easy wins 🙂 Another good detection for QBot is xrw memory segments with the malpedia yara.

2

14

Dray Agha

@Purp1eW0lf

2 years

@DebugPrivilege For those wanting to take a similar investigative approach, @keydet89 ’s Event Ripper’s has a great plugin for that suits this task:

Dray Agha

@Purp1eW0lf

2 years

@chrissanders88 Retrieve the VHDMP Event Log, and then deploy @keydet89 's dedicated plugin from Event Ripper We use this IRL for Qakbot's latest iteration, which enjoys mounting ISOs. The plugin gives us date and path, which usually informs username too.

2

6

41

0

2

11

Chris Beckett

@cbecks_2

2 years

@DebugPrivilege Seeing lots of IMG too. Depending on your EDR, you may be able to hunt lnk and suspect extensions running from the root, or direct child folder of a drive not "C:\"

0

RootAccess

@binary_raider

2 years

@DebugPrivilege Any ideas for a query using ‘Advanced Hunting’ in the security center?

2

0

1

Bryson 🦄🌴

@brysonbort

2 years

@DebugPrivilege @MalwareJake @SecPanda_

0

1

Replies