
Summary
This rule identifies a specific tactic used by the Qakbot threat actor, which delivers its payload through zipped files containing a variety of document types, particularly PDF, text files, and Windows Script Files (WSF). The rule focuses on detecting these zip files with a particular structural characteristic: at a depth of 1, the archive should contain at least two distinct files of the types PDF and text, alongside a WSF file. This detection method is established through pattern matching of file extensions, file types, and checking the depth within the file structure. The rule utilizes an inbound type filter to scrutinize attachments and applies specific conditions such as common archive file extensions and mime types. Overall, this rule serves as a proactive measure against malware delivery leveraging otherwise benign file formats, aiding in preventing potential infections from Qakbot.
Categories
- Network
- Endpoint
- Cloud
- Windows
- Linux
Data Sources
- File
- Container
- Application Log
Created: 2023-02-24