Techniques
Sample rules
Windows MsiExec HideWindow Rundll32 Execution
- source: splunk
- technicques:
- T1218.007
- T1218
Description
The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. One such tactic involves utilizing system processes like “msiexec,” “hidewindow,” and “rundll32” through command-line execution. By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = "* /HideWindow *" Processes.process = "* rundll32*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_msiexec_hidewindow_rundll32_execution_filter`