title: QBot Process Creation
author: Florian Roth
date: 2019/10/01
description: Detects QBot like process executions
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    ParentImage: '*\WinRAR.exe'
  SELECTION_3:
    Image: '*\wscript.exe'
  SELECTION_4:
    CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
  SELECTION_5:
    CommandLine: '*regsvr32.exe*'
  SELECTION_6:
    CommandLine: '*C:\ProgramData*'
  SELECTION_7:
    CommandLine: '*.tmp*'
  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or SELECTION_4) or (SELECTION_5
    and SELECTION_6 and SELECTION_7)))
falsepositives:
- Unlikely
fields:
- CommandLine
- ParentCommandLine
id: 4fcac6eb-0287-4090-8eea-2602e4c20040
level: critical
logsource:
  category: process_creation
  product: windows
modified: 2021/01/25
references:
- https://twitter.com/killamjr/status/1179034907932315648
- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
status: experimental
tags:
- attack.execution
- attack.t1059.005
- attack.defense_evasion
- attack.t1064
ruletype: SIGMA