Version 1.

0
Date 21.04.2022
TLP WHITE

John - Coordinator
Alice - Red Team
Team and Roles
Bob - Blue Team
Mario - CTI Team

This exercise is meant to:

1. Get an overview of how the organization would deal against such a threat
Purple Teaming Objective(s)
2. Test the effectiveness of the security controls against this threat
3. Identify gaps and improvements

Threat Intelligence overview

Name Qakbot
Type Malware/Threat Actor

Qakbot aka Qbot is a modular trojan type of malware. It is known to be used by threat act
Overview
objective of the threat actor operating it. It is used as an information stealer as well as a d

Objective The objective of the threat actor behind this malware has in general been financial gain
Tools and malware Qakbot seems to operate under an affiliate model. Therefore it has been seen deliverying
Victimology Various, opportunistic
Attribution theory Mallard Spider seems to be the threat actor behind its development
TTPs - ATT&CK Navigator https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttps%2Fattack.mitre

Emulation Plan
CTI Team CTI and Red Team
Tactic Technique Procedure description

Qakbot initial access is varying a lot

over time. But it is usually starting
with a mail containing either an
attachment or an URL. Sometimes
TA0001 Initial Access T1566 Phishing
it is impersonating a known
organization and leveraging email
thread between the victim and this
entity.
 Qakbot initial access is varying a lot
over time. But it is usually starting
with a mail containing either an
attachment or an URL. Sometimes
TA0001 Initial Access T1566 Phishing
it is impersonating a known
organization and leveraging email
thread between the victim and this
entity.

Qakbot uses this technique as a

TA0002 Execution T1053.005 Scheduled Task way of executing every x time the
malicious DLL

Qakbot creates schedule tasks to

TA0003 Persistence T1053.005 Scheduled Task
maintain persistence

Qakbot binary and config is

T1027.002 Obfuscated Files or
TA0005 Defense Evasion obfuscated and encrypted using
information: Software Packing
RC4 cipher

TA0005 Defense Evasion / TA0004 Qakbot uses this technique to load

T1055 Process Injection
Privilege Escalation into the memory of other process

Qakbot is delievered as a DLL and

T1218 Signed Binary Proxy
TA0005 Defense Evasion executed using signed binaries such
Execution
as rundll32 or regsvr32

T1497 Virtualization/Sandbox Anti-VM and sandbox techniques

TA0005 Defense Evasion
evasion are used to evade detection

T1497.003 Virtualization/Sandbox Time-based evasion is checked

TA0005 Defense Evasion
evasion: Time based evasion during the malware runtime
TA0006 Credential Access / TA0009 Qakbot collects credentials and
T1056 Input Capture
Collection sensitive data from victim's devices

Qakbot obtains the list of processes

TA0007 Discovery T1057 Process Discovery
and other details

A list of the installed softwares is

TA0007 Discovery T1518 Software Discovery
retrieved by Qakbot

Installed antivirus and other

T1518.001 Software Discovery:
TA0007 Discovery security softwares is obtained by
Security Software Discovery
Qakbot

Appendix
https://attack.mitre.org/software/S0650/
https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-bu
Resources
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-comprom
https://redcanary.com/threat-detection-report/threats/qbot/

TLP Reminder https://www.cisa.gov/tlp

 Purple Teaming Log and Report

st such a threat
hreat

own to be used by threat actors tracked as TA551, TA570, TA577, Lockean and Mallard Spider. As a modular malware Qakbot can retrieve
rmation stealer as well as a delivery agent for ransomware. Some source (CERT-FR) mentions that Mallard Spider is threat actor behind de

general been financial gain

it has been seen deliverying various ransomwares such as Egregor, ProLock and Conti/Sodinokibi, DoppelPaymer and used by various thre

https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttps%2Fattack.mitre.org%2Fsoftware%2FS0650%2FS0650-enterprise-layer.json

Red Team Red & Blue Team

Procedure replay Control/Mitigation

<Document here the expected security

controls prior to executing the TTPs>

<Document the Red Team procedure (ART

Reference, manual, other.>
<Document the Red Team procedure (ART
Reference, manual, other.>

<Document here the expected security

controls prior to executing the TTPs>

Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
 Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>
Expectation
1. <Document here the expected security
<Document the Red Team procedure (ART controls prior to executing the TTPs>
Reference, manual, other.> Observation
2. <Document here the observed security
controls after executing the TTPs>

ser-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
ead-to-full-domain-compromise/
/
der. As a modular malware Qakbot can retrieve different modules depending on the
ns that Mallard Spider is threat actor behind development of the malware.

inokibi, DoppelPaymer and used by various threat actors

Blue Team
Type Effectiveness
 ALL
Comment
Control Types Effectiveness
Prevention Expected, effective
Telemetry Expected, partially effective
Detection Expected, ineffective
Remediation Not-expected, effective
Not-expected, partially effective