Unmasking QakBot: A Deep Dive into Osquery for Enhanced Detection and Response

Written by
Tommy Perniciaro
Published on
May 16, 2023

QakBot, a notorious banking Trojan, has been compromising systems and stealing sensitive data since 2007. This advanced malware has evolved, gaining the ability to propagate, evade detection, and deploy additional payloads.  

As a cybersecurity professional, you need a powerful tool to help you uncover and combat the elusive QakBot. Enter osquery, an open-source, Facebook-developed tool that allows you to query your operating system as if it were a database.  

In this article, we'll delve into the technical aspects of osquery, exploring how it can enhance your QakBot detection and response capabilities with supporting queries based on known indicators of compromise (IOCs).

Inside QakBot

QakBot has been observed acting as a dropper for other types of malware, including ransomware, and it has been linked to the delivery of the ProLock and Egregor ransomware families.  

In these cases, QakBot first compromises a system and establishes persistence. Then, it downloads and installs the ransomware, which proceeds to encrypt the victim's files and demands a ransom payment for the decryption key.

This ability to deliver other malware, including ransomware, makes QakBot an even greater threat to organizations. It is crucial for cybersecurity professionals to stay vigilant and up to date on the latest tactics, techniques, and procedures employed by QakBot and other similar threats.  

Employing tools like osquery to detect and respond to QakBot infections can help organizations prevent the potential delivery of ransomware and limit the damage caused by such threats.

Understanding Osquery's Role in Cybersecurity:

Osquery acts as a versatile and powerful asset in any cybersecurity toolkit, providing invaluable insights to investigate potential threats and vulnerabilities within your systems. By utilizing osquery to gather detailed information about processes, files, network connections, registry changes, and scheduled tasks, you can uncover the telltale signs of a QakBot infection lurking in the shadows. Osquery is platform-agnostic, making it an ideal choice for heterogeneous environments.

Process Monitoring with Osquery:

Detect suspicious processes associated with QakBot by using queries that target specific command-line arguments or processes with unexpected parent-child relationships.

Example Query:

SELECT p.pid, p.name, p.cmdline, p.parent, p.cwd

FROM processes p

WHERE p.cmdline LIKE '%qbot%' OR p.cmdline LIKE '%qakbot%';

Scheduled Task Analysis:

Monitor and analyze scheduled tasks for signs of QakBot by crafting queries targeting tasks with specific names or tasks that execute from unusual file paths.  

Example Query:

SELECT t.path, t.name, t.cmdline

FROM scheduled_tasks t

WHERE t.name LIKE 'Updater%' OR t.cmdline LIKE '%qbot%';

File System Monitoring:

Detect new or modified files associated with QakBot by monitoring for files that match known QakBot file patterns, files created or modified in unusual locations, or files that exhibit abnormal access patterns.  

Example Query:

SELECT f.path, f.filename, f.uid, f.gid, f.mode

FROM file_events f

WHERE f.filename LIKE 'qbot_%' OR f.path LIKE 'C:\Users\%\AppData\Roaming\qbot%';

Registry Change Detection:

Monitor registry changes and analyze them for potential QakBot-related modifications by crafting queries that track specific registry keys and values.  

Example Query:

SELECT r.key, r.path, r.name, r.type, r.mtime

FROM registry_changes r

WHERE r.path LIKE 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Updater%';

These queries are based on known IOCs associated with QakBot. QakBot's tactics, techniques, and procedures (TTPs) may evolve over time, and it's essential to adapt these queries and continuously update your knowledge of QakBot's behavior to ensure effective detection capabilities.


Osquery's versatility and technical prowess make it a powerful tool for detecting and responding to QakBot infections. By using osquery with queries tailored to known IOCs, you can expose potential threats and take decisive action to protect your organization's digital assets.  

As QakBot continues to adapt and challenge our defenses, embracing innovative tools and techniques like osquery is essential for staying one step ahead in the ever-evolving world of cybersecurity.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

Subscribe to receive the latest blog posts to your inbox every week.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

See All Blog Posts

The Resilient Enterprise: Navigating the Evolving Threat Landscape

This article examines the evolving threat landscape and trends, providing valuable insights into constructing a robust security framework for prevention and resilience...

Read the Blog

Bypassing, Evading and Unhooking Endpoint Security Solutions

The top 20 most active ransomware groups have been observed leveraging one or more Endpoint Protection bypass and evasions techniques to get around security tools...

Read the Blog

Should Organizations Pay a Ransom Demand?

The debate on whether to pay a ransomware demand is a contentious issue, but each organization must take into consideration its own specific situation when making the decision...

Read the Blog

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.