Last active
May 14, 2020 16:56
-
-
Save dlee35/03773b26c72e28a205586e4aaafe15f9 to your computer and use it in GitHub Desktop.
Qbot ESA Rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Version: 2 | |
| */ | |
| @Name('Module_QbotCampaign_Alert') | |
| @Description('Current Qbot campaigns attempt to download a supposed PNG file with a filename consisting of between 4-8 numeric characters that is actually an EXE. This is a good post infection IoC.') | |
| @RSAAlert(oneInSeconds=0) | |
| SELECT * FROM | |
| Event | |
| ( | |
| service=80 | |
| AND | |
| filename REGEXP '[0-9]{4,8}\.png' | |
| AND | |
| filetype='windows executable' | |
| ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment