Qakbot campaign process injection query is not correct #430

ionsor · 2021-11-09T12:13:25Z

I would like to bring to your attention that the Process injection by Qakbot malware is misleading since the query is actually for the cookie and browsing history theft of the same malware family.
I checked with the report "Qakbot blight lingers, seeds ransomware" and did a pull request #429 for the correction needed.

The query
DeviceProcessEvents | where FileName == "esentutl.exe" | where ProcessCommandLine has "WebCache" | where ProcessCommandLine has_any ("V01", "/s", "/d") | project ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

is corresponding to cookie and browsing history theft and should have it's separate file.

The text was updated successfully, but these errors were encountered:

ionsor changed the title ~~Qakbot campaign process injection needs correction~~ Qakbot campaign process injection is misleading Nov 9, 2021

ionsor changed the title ~~Qakbot campaign process injection is misleading~~ Qakbot campaign process injection query is not correct Nov 9, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Qakbot campaign process injection query is not correct #430

Qakbot campaign process injection query is not correct #430

ionsor commented Nov 9, 2021

Qakbot campaign process injection query is not correct #430

Qakbot campaign process injection query is not correct #430

Comments

ionsor commented Nov 9, 2021