Qakbot malware is attempting to self-delete to evade detection, indicating an active adversary trying to persist undetected in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Qakbot infections before they cause further damage.
KQL Query
DeviceProcessEvents
| where FileName =~ "ping.exe"
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has "calc.exe" and
InitiatingProcessCommandLine has "-n 6"
and InitiatingProcessCommandLine has "127.0.0.1"
| project ProcessCommandLine, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DeviceId, Timestamp
id: 0ec8d8df-2a7f-4cc0-9bd4-64d8f5103e3b
name: qakbot-campaign-self-deletion
description: |
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects if an instance of Qakbot has attempted to overwrite its original binary.
Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense evasion
query: |
DeviceProcessEvents
| where FileName =~ "ping.exe"
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has "calc.exe" and
InitiatingProcessCommandLine has "-n 6"
and InitiatingProcessCommandLine has "127.0.0.1"
| project ProcessCommandLine, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DeviceId, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Task Cleanup
Description: A system administrator runs a scheduled task to clean up temporary files or old logs, which may include deleting files that match Qakbot’s file patterns.
Filter/Exclusion: Exclude processes associated with known cleanup tools like cleanmgr.exe, del, or tasks scheduled via schtasks.exe with known admin-defined cleanup scripts.
Scenario: Windows Update Cleanup
Description: Windows Update may delete old system files or temporary installation files, which could be flagged as self-deletion by the Qakbot detection rule.
Filter/Exclusion: Exclude processes related to wusa.exe or WindowsUpdate.exe during update cleanup operations.
Scenario: Antivirus Quarantine Removal
Description: An endpoint protection tool (e.g., Bitdefender, Kaspersky) may delete quarantined files, which could be misidentified as Qakbot self-deletion.
Filter/Exclusion: Exclude processes from known antivirus tools like bdagent.exe, kavsvc.exe, or avgnt.exe during quarantine cleanup.
Scenario: Log File Rotation or Purge
Description: System or application log files are rotated or purged by tools like logrotate (Linux) or Event Viewer (Windows), which may delete files matching Qakbot’s file signatures.
Filter/Exclusion: Exclude processes related to log management tools such as logrotate, logparser.exe, or eventvwr.exe during log cleanup.
Scenario: Disk Cleanup Tool Usage
Description: A user or admin runs the built-in Disk Cleanup tool (cleanmgr.exe) which may delete temporary or cached files that match Qakbot’s file patterns.
Filter/Exclusion: Exclude processes initiated by cleanmgr.exe or `diskcleanup