Microsoft-365-Defender-Hunting-Queries
Microsoft-365-Defender-Hunting-Queries copied to clipboard
Qakbot campaign process injection query is not correct
I would like to bring to your attention that the Process injection by Qakbot malware is misleading since the query is actually for the cookie and browsing history theft of the same malware family. I checked with the report "Qakbot blight lingers, seeds ransomware" and did a pull request #429 for the correction needed.
The query
DeviceProcessEvents | where FileName == "esentutl.exe" | where ProcessCommandLine has "WebCache" | where ProcessCommandLine has_any ("V01", "/s", "/d") | project ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp
is corresponding to cookie and browsing history theft and should have it's separate file.