This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects possible use of the system process, esentutl.exe, to look through a user's browser history and steal cookies.
DeviceProcessEvents
| where FileName == "esentutl.exe"
| where ProcessCommandLine has "WebCache"
| where ProcessCommandLine has_any ("V01", "/s", "/d")
| project ProcessCommandLine,
InitiatingProcessParentFileName, DeviceId, TimestampThis query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | ||
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | v | |
| Discovery | v | |
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Misconfiguration | ||
| Malware, component |
- Self-deletion by Qakbot malware
- Process injection by Qakbot malware
- Registry edits by campaigns using Qakbot malware
- Outlook email access by campaigns using Qakbot malware
- Javascript use by Qakbot malware
Contributor: Microsoft Threat Protection team