This repository was archived by the owner on Nov 16, 2023. It is now read-only.
This repository was archived by the owner on Nov 16, 2023. It is now read-only.
Qakbot campaign process injection query is not correct #430
Description
I would like to bring to your attention that the Process injection by Qakbot malware is misleading since the query is actually for the cookie and browsing history theft of the same malware family.
I checked with the report "Qakbot blight lingers, seeds ransomware" and did a pull request #429 for the correction needed.
The query
DeviceProcessEvents | where FileName == "esentutl.exe" | where ProcessCommandLine has "WebCache" | where ProcessCommandLine has_any ("V01", "/s", "/d") | project ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp
is corresponding to cookie and browsing history theft and should have it's separate file.