The hypothesis is that the detection identifies potential Qakbot malware activity leveraging esentutl.exe, which is commonly used for credential theft and persistence in financial institutions. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage Qakbot campaigns before they escalate to ransomware or data exfiltration.
KQL Query
DeviceProcessEvents
| where FileName == "esentutl.exe"
| where ProcessCommandLine has "WebCache"
| where ProcessCommandLine has_any ("V01", "/s", "/d")
| project ProcessCommandLine,
InitiatingProcessParentFileName, DeviceId, Timestamp
id: a0784604-ef4d-43b9-8e31-d234c649eeda
name: qakbot-campaign-esentutl
description: |
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects possible use of the system process, esentutl.exe, to look through a user's browser history and steal cookies.
Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Credential Access
- Discovery
query: |
DeviceProcessEvents
| where FileName == "esentutl.exe"
| where ProcessCommandLine has "WebCache"
| where ProcessCommandLine has_any ("V01", "/s", "/d")
| project ProcessCommandLine,
InitiatingProcessParentFileName, DeviceId, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled system maintenance using esentutl.exe
Description: Enterprise environments often run scheduled maintenance tasks using esentutl.exe to repair or defragment Microsoft Exchange databases.
Filter/Exclusion: Check for the presence of Microsoft Exchange in the process tree or file path, or filter by process parent process (e.g., msftesql.exe or exmerge.exe).
Scenario: Database repair using esentutl.exe
Description: IT administrators may use esentutl.exe to repair corrupted Microsoft Jet or ACE databases, which are used in legacy applications or email clients like Outlook.
Filter/Exclusion: Filter by file path containing *.mdb or *.accdb, or check for the presence of Microsoft Access or Outlook in the process tree.
Scenario: Malware analysis or sandbox environment
Description: Security teams may run esentutl.exe in a sandbox or malware analysis environment as part of forensic or threat hunting activities.
Filter/Exclusion: Check for the presence of sandboxing indicators (e.g., sandbox, vmware, virtualbox) or filter by IP address associated with internal security tools.
Scenario: Administrative task using esentutl.exe for log file cleanup
Description: Some enterprise tools or scripts may use esentutl.exe to clean up or manage log files, especially in older systems using Microsoft Jet databases.
Filter/Exclusion: Filter by command-line arguments such as /d (defragment) or /p (repair), or check for the presence of known legitimate scripts or tools in the command line.
Scenario: Third-party application using esentutl.exe for data management
Description: Some third-party enterprise applications may use