Qakbot & Their Hidden Slasher Obfuscation
I noticed on Twitter a new, relatively novel obfuscation or anti-forensics technique that Qakbot (or qbot) have started using.
It surprises me that more threat actors don't employ some basic command-line obfuscation techniques, as they can really screw with SIEM detections with a minimum of effort.
Credit to Max_Malyutin on Twitter for flagging this and grabbing my attention:
I hadn't seen multiple path escape backslashes like this on the Windows command line, but sure enough, it works, here's what an event looks like in Splunk:
This takes advantage of the way that SIEMs like Splunk handle backslashes, they themselves need to be escaped, so to search for a normal file path for a file (in this case cmd.exe) would look like this in Splunk:
To look for our obfuscated command-line with extra backslashes we'll want to look for more than 4 backslashes in a row, escaped in Splunk we wind up with 8 backslashes in our search:
Or in SPL:
index=<your-index-here> EventCode=4688 Process_Command_Line IN (*\\\\\\\\*)
And that will turn up 4 or more backslashes in a row.
Happy hunting.