The hypothesis is that the detection identifies suspicious JavaScript activity potentially associated with the Qakbot malware, which is used to steal login credentials from financial institutions. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage Qakbot campaigns before they lead to data exfiltration or ransomware deployment.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where FileName == "cscript.exe"
| where InitiatingProcessCommandLine has "start /MIN"
| where ProcessCommandLine has "E:javascript"
| project ProcessCommandLine,
InitiatingProcessCommandLine, DeviceId, Timestamp
id: 1ef38d9a-7d3e-4313-a961-169bb23ff270
name: qakbot-campaign-suspicious-javascript
description: |
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects possible attempts by Qakbot to execute malicious Javascript code.
Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where FileName == "cscript.exe"
| where InitiatingProcessCommandLine has "start /MIN"
| where ProcessCommandLine has "E:javascript"
| project ProcessCommandLine,
InitiatingProcessCommandLine, DeviceId, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate JavaScript-based Reporting Tool Usage
Description: A system administrator uses a legitimate reporting tool like Power BI or Tableau to generate reports using JavaScript-based dashboards.
Filter/Exclusion: Exclude processes associated with known reporting tools (e.g., powerbi.exe, tabcmd.exe) or filter by user account (e.g., admin, reporting).
Scenario: Scheduled Job for System Maintenance
Description: A scheduled job runs using Task Scheduler or cron to perform system maintenance tasks, such as log rotation or disk cleanup, which may involve JavaScript-based scripts.
Filter/Exclusion: Exclude processes initiated by scheduled tasks (e.g., schtasks.exe, cron), or filter by process name (e.g., logrotate.exe, cleanmgr.exe).
Scenario: Admin Task Using PowerShell with JavaScript-like Syntax
Description: An administrator uses PowerShell with script blocks that resemble JavaScript syntax (e.g., using Invoke-Expression or Write-Output) for automation tasks.
Filter/Exclusion: Exclude processes running under admin accounts or filter by process name (e.g., powershell.exe with specific command-line arguments or user context).
Scenario: Web Application with Embedded JavaScript
Description: A legitimate web application (e.g., WordPress, Drupal) uses JavaScript for client-side scripting, which may trigger the rule due to script execution patterns.
Filter/Exclusion: Exclude processes related to web servers (e.g., httpd.exe, iisexpress.exe) or filter by domain/IP associated with the legitimate web application.
Scenario: Legacy System Compatibility Script
Description: A script is run to ensure compatibility with legacy systems, using JavaScript-like syntax for configuration or migration tasks.