title: QBot Process Creation
id: 4fcac6eb-0287-4090-8eea-2602e4c20040
status: experimental
description: Detects QBot like process executions
author: Florian Roth
date: 2019/10/01
modified: 2021/01/25
tags:
    - attack.execution
    - attack.t1059.005
references:
    - https://twitter.com/killamjr/status/1179034907932315648
    - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|endswith: '\WinRAR.exe'
        Image|endswith: '\wscript.exe'
    selection2:
        CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type '
    selection3:
        CommandLine|contains|all:
            - 'regsvr32.exe'
            - 'C:\ProgramData'
            - '.tmp'
    condition: selection1 or selection2 or selection3
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unlikely
level: critical