rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml

title: Esentutl Steals Browser Information 
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: experimental
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
    - https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022/02/13
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: \esentutl.exe
        CommandLine|contains|all:
            - '/r '
            - '\Windows\WebCache'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
tags:
    - attack.collection
    - attack.t1005
$frack113$ Missing Qbot rules 2022-02-13 16:07:28 +01:00			`title: Esentutl Steals Browser Information`
			`id: 6a69f62d-ce75-4b57-8dce-6351eb55b362`
			`status: experimental`
			`description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe`
			`references:`
			`- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/`
			`- https://redcanary.com/threat-detection-report/threats/qbot/`
			`author: frack113`
			`date: 2022/02/13`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`Image\|endswith: \esentutl.exe`
			`CommandLine\|contains\|all:`
			`- '/r '`
			`- '\Windows\WebCache'`
			`condition: selection`
			`falsepositives:`
fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00			`- Legitimate use`
$frack113$ Missing Qbot rules 2022-02-13 16:07:28 +01:00			`level: medium`
			`tags:`
			`- attack.collection`
			`- attack.t1005`