The hypothesis is that the detection identifies potential process injection activity associated with Qakbot malware, which is used to steal login credentials from financial institutions. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Qakbot infections before they lead to credential theft and potential ransomware deployment.
KQL Query
DeviceProcessEvents
| where FileName == "esentutl.exe"
| where ProcessCommandLine has "WebCache"
| where ProcessCommandLine has_any ("V01", "/s", "/d")
| project ProcessCommandLine, InitiatingProcessParentFileName,
DeviceId, Timestamp
id: c07d24d5-7c97-4ac4-873e-b364695df045
name: qakbot-campaign-process-injection
description: |
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects if Qakbot has injected code into the ping.exe process, to evade security and access credentials.
Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense evasion
- Credential Access
query: |
DeviceProcessEvents
| where FileName == "esentutl.exe"
| where ProcessCommandLine has "WebCache"
| where ProcessCommandLine has_any ("V01", "/s", "/d")
| project ProcessCommandLine, InitiatingProcessParentFileName,
DeviceId, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate system maintenance job (e.g., schtasks.exe or Task Scheduler) is running a script that performs process injection as part of routine system health checks.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or Task Scheduler with known maintenance task names (e.g., System Maintenance or Disk Cleanup).
Scenario: Admin Tool for Process Injection
Description: An administrator is using a legitimate tool like Process Explorer or ProcMon to inject a payload for debugging or forensic analysis.
Filter/Exclusion: Exclude processes launched by Process Explorer or ProcMon and filter out any injection activity initiated by these tools.
Scenario: Automated Patching Tool
Description: A patching tool like Windows Update or Microsoft Endpoint Manager is injecting code into a process to apply updates or patches.
Filter/Exclusion: Exclude processes associated with Windows Update or Microsoft Endpoint Manager and filter out injection events during scheduled patching windows.
Scenario: Database Backup Job
Description: A database backup job (e.g., SQL Server Agent Job) is using a script or tool to inject code into a process to facilitate data extraction or backup operations.
Filter/Exclusion: Exclude processes initiated by SQL Server Agent or SQL Backup Tools and filter out injection events during scheduled backup windows.
Scenario: Security Software Testing
Description: A security team is testing a detection rule by using a tool like Metasploit or Cobalt Strike to simulate a process injection attack for validation.
Filter/Exclusion: Exclude processes launched by Metasploit, Cobalt Strike, or other red team tools used in controlled security testing