Detect Malware in IBM QRadar
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.001 Malware
- Canonical reference
- https://attack.mitre.org/techniques/T1588/001/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip,
destinationip,
destinationport,
username,
QIDNAME(qid) AS event_name,
"EventID" AS windows_event_id,
LOWER("Image") AS process_image,
LOWER("CommandLine") AS command_line,
"ParentImage" AS parent_image,
"TargetFilename" AS target_file,
CASE
WHEN "EventID" IN ('1','4688') AND LOWER("Image") MATCHES '.*\b(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$' THEN 'Commodity Malware Binary Name'
WHEN "EventID" IN ('1','4688') AND LOWER("CommandLine") MATCHES '.*(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer).*' THEN 'Commodity Malware Command Line'
WHEN "EventID" = '3' AND destinationport IN (4444,31337,50050,9999,8888,6666,5555,7777,1234) THEN 'LOLBin C2 Port Connection'
WHEN "EventID" = '11' THEN 'Staging File Artifact'
ELSE 'Unknown'
END AS detection_branch
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
AND (
(
"EventID" IN ('1', '4688')
AND (
LOWER("Image") MATCHES '.*\b(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$'
OR (
LOWER("CommandLine") MATCHES '.*(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer).*'
AND NOT LOWER("ParentImage") MATCHES '.*(chrome|msedge|firefox|code|devenv|notepad)\.exe$'
)
)
)
OR (
"EventID" = '3'
AND destinationport IN (4444, 31337, 50050, 9999, 8888, 6666, 5555, 7777, 1234)
AND NOT (
destinationip LIKE '10.%' OR destinationip LIKE '172.16.%' OR destinationip LIKE '172.17.%'
OR destinationip LIKE '172.18.%' OR destinationip LIKE '172.19.%' OR destinationip LIKE '172.20.%'
OR destinationip LIKE '172.21.%' OR destinationip LIKE '172.22.%' OR destinationip LIKE '172.23.%'
OR destinationip LIKE '172.24.%' OR destinationip LIKE '172.25.%' OR destinationip LIKE '172.26.%'
OR destinationip LIKE '172.27.%' OR destinationip LIKE '172.28.%' OR destinationip LIKE '172.29.%'
OR destinationip LIKE '172.30.%' OR destinationip LIKE '172.31.%'
OR destinationip LIKE '192.168.%' OR destinationip = '127.0.0.1'
)
AND LOWER("Image") MATCHES '.*(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe$'
)
OR (
"EventID" = '11'
AND (
LOWER("TargetFilename") LIKE '%\\appdata\\roaming\\%'
OR LOWER("TargetFilename") LIKE '%\\appdata\\local\\temp\\%'
OR LOWER("TargetFilename") LIKE '%\\programdata\\%'
OR LOWER("TargetFilename") LIKE '%\\windows\\temp\\%'
OR LOWER("TargetFilename") LIKE '%\\users\\public\\%'
)
AND (
LOWER("TargetFilename") LIKE '%.bin'
OR LOWER("TargetFilename") LIKE '%.dat'
OR LOWER("TargetFilename") LIKE '%.tmp'
)
AND LOWER("Image") MATCHES '.*(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\.exe$'
)
)
AND devicetime > NOW() - 86400000
ORDER BY devicetime DESCQRadar AQL detection across Sysmon (EID 1, 3, 11) and Security log (EID 4688) event types. Covers process creation matching commodity RAT binary names or malware framework command-line strings, LOLBin outbound connections to known C2 listener ports, and script interpreter staging of binary payloads to user-writable system paths. Requires Sysmon custom field parsing (Image, CommandLine, ParentImage, TargetFilename, DestinationPort) to be mapped in QRadar log source extensions.
Data Sources
Required Tables
False Positives & Tuning
- Authorised red team or internal penetration testing activity using Cobalt Strike, Metasploit, or commodity RATs will trigger all three branches — create building blocks with a whitelist of authorised red team source IPs and schedule offsets
- Build servers or CI agents (Jenkins, TeamCity, Azure DevOps agents) that run powershell.exe or cmd.exe to package binary artifacts into ProgramData or AppData directories during deployments will match the staging file artifact branch
- Remote monitoring and management (RMM) agents such as ConnectWise Control or Datto RMM that operate on non-standard ports and communicate via svchost-hosted DLLs may match the C2 network port branch
Other platforms for T1588.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate njRAT/QuasarRAT Binary Name Pattern
Expected signal: Sysmon Event ID 1: Process Create with Image ending in 'njrat.exe', CommandLine 'njrat.exe /all'. Security Event ID 4688 (if command line auditing enabled). Prefetch entry NJRAT.EXE-*.pf created in C:\Windows\Prefetch\.
- Test 2Beacon-Pattern Network Connection to Non-Standard Port
Expected signal: Sysmon Event ID 3: Multiple Network Connection events from powershell.exe to 192.0.2.1:4444 with ~10 second intervals. Security Event ID 4688 for the PowerShell process creation. Connection attempts will fail (192.0.2.1 is RFC 5737 documentation range) but process and network events fire regardless.
- Test 3Infostealer Credential Target Access Simulation
Expected signal: Sysmon Event ID 10 (Process Access) if Chrome is running and the Login Data file is locked. Sysmon Event ID 11 or Windows file access auditing events for the Login Data file access by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the script content referencing the credential database path.
- Test 4Cobalt Strike Default C2 Port Connection Attempt
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to 198.51.100.1:50050. The connection attempt will fail (RFC 5737 test range) but the connection attempt event fires. Security Event ID 4688 for the PowerShell process. DNS query may be logged if name resolution was attempted.
- Test 5Commodity Malware Dynamic DNS Resolution
Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='test.no-ip.org', Image ends in 'powershell.exe'. Network connection log may show the DNS resolver query. PowerShell ScriptBlock Log Event ID 4104 with the DNS resolution command.
References (12)
- https://attack.mitre.org/techniques/T1588/001/
- https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
- https://www.proofpoint.com/us/blog/threat-insight/ta2541-flying-under-radar
- https://www.crowdstrike.com/blog/aquatic-panda-targets-higher-education-with-novel-tools-ttps/
- https://www.kaspersky.com/blog/luminousmoth-apt/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://abuse.ch/blog/threatfox/
- https://bazaar.abuse.ch/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.001/T1588.001.md
- https://blog.talosintelligence.com/2022/09/from-the-labs-cobalt-strike-detection.html
- https://thedfirreport.com/
- https://www.sentinelone.com/labs/metador-le-meteore-des-apt/
Unlock Pro Content
Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.