rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml

title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: experimental
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
    - https://redcanary.com/threat-detection-report/threats/qbot/
    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022/02/13
modified: 2022/10/31
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\esentutl.exe'
        - OriginalFileName: 'esentutl.exe'
    selection_flag:
        CommandLine|contains:
            - '/r'
            - '-r'
    selection_webcache:
        CommandLine|contains: '\Windows\WebCache'
    condition: all of selection*
falsepositives:
    - Legitimate use
level: medium
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`title: Esentutl Steals Browser Information`
$frack113$ Missing Qbot rules 2022-02-13 16:07:28 +01:00			`id: 6a69f62d-ce75-4b57-8dce-6351eb55b362`
			`status: experimental`
			`description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe`
			`references:`
			`- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/`
			`- https://redcanary.com/threat-detection-report/threats/qbot/`
Update proc_creation_win_esentutl_webcache.yml 2022-10-31 20:56:29 +01:00			`- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/`
$frack113$ Missing Qbot rules 2022-02-13 16:07:28 +01:00			`author: frack113`
			`date: 2022/02/13`
Update proc_creation_win_esentutl_webcache.yml 2022-10-31 20:56:29 +01:00			`modified: 2022/10/31`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
			`- attack.collection`
			`- attack.t1005`
$frack113$ Missing Qbot rules 2022-02-13 16:07:28 +01:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Updated Rules to Use OriginalFileName 2022-05-12 23:27:48 +01:00			`selection_img:`
			`- Image\|endswith: '\esentutl.exe'`
			`- OriginalFileName: 'esentutl.exe'`
Update proc_creation_win_esentutl_webcache.yml 2022-10-31 20:56:29 +01:00			`selection_flag:`
			`CommandLine\|contains:`
			`- '/r'`
			`- '-r'`
			`selection_webcache:`
			`CommandLine\|contains: '\Windows\WebCache'`
Updated Rules to Use OriginalFileName 2022-05-12 23:27:48 +01:00			`condition: all of selection*`
$frack113$ Missing Qbot rules 2022-02-13 16:07:28 +01:00			`falsepositives:`
fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00			`- Legitimate use`
$frack113$ Missing Qbot rules 2022-02-13 16:07:28 +01:00			`level: medium`