{
	"id": "18473164-69f8-4817-bb96-4fdd5854f21e",
	"created_at": "2026-04-06T00:08:11.358533Z",
	"updated_at": "2026-04-10T03:24:23.496469Z",
	"deleted_at": null,
	"sha1_hash": "4f2ff67f3e384e7900fd3e22ba239b1abb2cb525",
	"title": "Qbot and Zerologon Lead To Full Domain Compromise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3216962,
	"plain_text": "Qbot and Zerologon Lead To Full Domain Compromise\r\nBy editor\r\nPublished: 2022-02-21 · Archived: 2026-04-05 18:08:35 UTC\r\nIn this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of\r\nmalware.\r\nSoon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the\r\nbeachhead. Successful exploitation of the allowed the threat actors to obtain domain admin privileges. This level of access\r\nwas abused to deploy additional Cobalt Strike beacons and consequently pivot to other sensitive hosts within the network.\r\nThe threat actor then exfiltrated sensitive documents from the environment before being evicted from the network.\r\nSummary\r\nThe threat actors gained initial access to a Windows workstation through the execution of a malicious DLL. The first activity\r\nof QBot was seen 5 minutes after the DLL was executed. Various automated discovery commands were used to\r\nFollowing the first discovery stage, Qbot dropped another malicious DLL and created a scheduled task to obtain persistence.\r\nOnce the threat actors established persistence, they continued with enumerating the environment by mapping out the Active\r\nDirectory environment using tools such as N\r\nUpon the identification of one of the domain controllers, the attackers proceeded to exploit the ZeroLogon vulnerability. The\r\nexecutable used bears striking similarity to the one used in a previous case The executable named cool.exe  to an empty\r\nstring, retrieves the Domain Admin password Hash, and\r\nThe domain admin hash was then used on the beachhead through an over-pass-the-hash attack. After having domain admin\r\nprivileges, they proceeded with deploying Cobalt Strike Beacons on a file server and another domain controller, which\r\nallowed them to pivot to those servers.\r\n. To conclude this case, the threat actors were evicted from the network before they completed any further objectives.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as QBot,\r\nCobalt Strike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be\r\nfound here.\r\nWe also have artifacts and IOCs available from this case such as memory captures, files, event logs including Sysmon, Kape\r\npackages, and more, under our Security Researcher and Organization services.\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 1 of 22\n\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 2 of 22\n\nAnalysis and reporting completed by @pigerlin \u0026 @MetallicHack\r\nReviewed by @ICSNick \u0026 @kostastsale\r\nInitial Access\r\nThe threat actor gained their initial access through the execution of a malicious DLL. Traditionally Qbot is delivered via\r\nemail using malicious documents that then downloads the malicious DLL. In this case, however, the execution started\r\ndirectly from the qbot DLL found here.\r\nThe execution chain for this QBot infection can be seen below:\r\nExecution\r\nQBot PowerShell analysis\r\nWe analyzed the registry path and associated keys that were queried by the scheduled task HKCU:\\SOFTWARE\\Pvoeooxf and\r\ndiscovered that three keys were created containing base64 encoded values. Decoding the values resulted in:\r\n1. Copy of QBot DLL\r\n3. Obfuscated PowerShell script that is referenced by the scheduled task.\r\nThe PowerShell script (triggered by the scheduled task) starts off a chain of events which is illustrated below:\r\nWhen run for the first time, the script creates a new registry key entry in the same path, saving the date of execution. It then\r\nverifies upon execution if the creation date key of this registry key is older than 4 hours.\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 3 of 22\n\nBased on the outcome, it will either: (1) retrieve the base64-encoded Qbot payload from the Windows Registry, decode it,\r\nsave it on the file system and execute it.\r\nOR (2) Fetch the QBot payload remotely using one of the active C2 IPs using the Invoke-WebRequest PowerShell module:\r\nThe PS script contains built-in logic to execute various types of payloads including batch and Visual Basic files.\r\nThe encoded QBot DLL that was stored in the registry, was dropped in the directory\r\n%APPDATA%\\Roaming\\Microsoft\\Fdopitcu . The unsigned DLL, with descriptor Cancel Autoplay 2 was executed using\r\nregsvr32.exe\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 4 of 22\n\nUpon execution of this second-stage DLL, various registry keys were created in HKCU\\Software\\Microsoft\\Yerqbqokc. In\r\naddition, a new instance of explorer.exe (32-bit) was started and injected into.\r\nThe registry keys contain eight-character long hex strings for which we believe is part of the malware’s encrypted config.\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 5 of 22\n\nPersistence\r\nScheduled Task/Job – Scheduled Task On Beachhead\r\nThe scheduled task created by Qbot was set to run every 30 minutes and executes a base64 encoded payload stored in the\r\nWindows Registry.\r\nschtasks.exe /Create /F /TN \"{97F2F70B-10D1-4447-A2F3-9B070C86E261}\" /TR \"cmd /c start /min \\\"\\\" powershell.ex\r\nLogName: Microsoft-Windows-TaskScheduler/Operational\r\nEventCode: 106\r\nMessage: Task scheduler Task Registered\r\nPrivilege Escalation\r\nThirty minutes after gaining initial access, the threat actors ran an executable file on the beachhead to exploit CVE-2020-\r\n1472, Zerologon.\r\nC:\\Windows\\system32\\cmd.exe /C cool.exe [DC IP ADDRESS] [DOMAIN NAME] Administrator -c \"taskkill /f /im explor\r\nThree milliseconds after the exploit, an event 4742 “A computer account was changed.” was generated on the targeted\r\nDomain Controller.\r\nAs explained in a detailed blog from CrowdStrike, the ZeroLogon CVE relies on the AES-CFB8 algorithm used with a zero\r\nIV :\r\n“In order to use AES-CFB8 securely, a random initialization vector (IV) needs to be generated for every plaintext\r\nto be encrypted using the same key. However, the ComputeNetlogonCredential function sets the IV to a fixed\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 6 of 22\n\nvalue of 16 zero bytes. This results in a cryptographic flaw in which encryption of 8-bytes of zeros could yield a\r\nciphertext of zeros with a probability of 1 in 256. Another implementation issue that allows this attack is that\r\nunencrypted Netlogon sessions aren’t rejected by servers (by default). The combination of these two flaws could\r\nallow an attacker to completely compromise the authentication, and thus to impersonate a server of their choice.”\r\nAs we can see on the network captures, a brute-force attack was performed in order to spoof the identity of the domain\r\ncontroller :\r\nAfter the end of the brute force traffic, we can see a single instance where a the exploit has completed successfully.\r\nAfter being successfully authenticated, the DC password was set:\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 7 of 22\n\nWe can also see that the SubjectUserName is ANONYMOUS LOGON.\r\nAfter authenticating to the DC with the DC account, the threat actors dumped the Domain Admin hash, and then reset the\r\nDC password in order to unbreak the Active Directory Domain.\r\nThe explorer shell was also restarted by the threat actor:\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 8 of 22\n\nDefense Evasion\r\nUpon execution of the initial DLL, QBot uses process hollowing to start a suspended instance of explorer.exe (32-bit) and\r\nthen injects itself into this process.\r\nThe injected explorer.exe process was used to spawn and inject into additional instances of explorer.exe (32-bit). An\r\nexample event can be seen below. Source PID 10492 belonging to QBot, injected a DLL into PID 4072 which we discovered\r\nwas part of Cobalt Strike C2 communication.\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 9 of 22\n\nOver-Pass-the-Hash from Beachhead\r\nThe threat actor obtained the NTLM hash value of the administrator account through the Zerologon exploit and used over-pass-the-hash We have seen the use of over-pass-the-hash several times before. For example, our Cobalt Strike Defender\r\nGuide covers detection of this technique in more detail.\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 10 of 22\n\nSoon after, a TGT for the administrator account was requested:\r\nDiscovery\r\nQBot initially starts a number of processes to collect information about the affected system. This is part of the “SYSTEM\r\nINFO” bot request, as described in a recent article from SecureList.\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 11 of 22\n\nLater, more discovery commands were executed via the Cobalt Strike beacon, which gathered information about the active\r\ndirectory environment.\r\nC:\\redacted\\find.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName\r\nC:\\Windows\\system32\\cmd.exe /C wmic /namespace:\\\\root\\SecurityCenter2 PATH AntiSpywareProduct GET /value\r\nC:\\Windows\\system32\\cmd.exe /C wmic /namespace:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\r\nC:\\Windows\\system32\\cmd.exe /C wmic /namespace:\\\\root\\SecurityCenter2 PATH FirewallProduct GET /value\r\nPing was used to verify machines were online\r\nping -n 1 [REDACTED]\r\nLateral Movement\r\nThrough the creation of Windows services, Cobalt Strike Beacons (psexec_psh function) were deployed on multiple hosts\r\nwithin the environment.\r\nEventCode: 7045\r\nService File Name: %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand \u003credacted\u003e\r\nUser: NT AUTHORITY\\SYSTEM\r\nParentImage: C:\\Windows\\System32\\services.exe\r\nParentCommandLine: C:\\Windows\\system32\\services.exe\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 12 of 22\n\nLog Source: Microsoft-Windows-Service Control Manager Event ID:7045\r\nMultiple services were installed by Cobalt Strike across the environment, here are a few examples:\r\nHKLM\\System\\CurrentControlSet\\Services\\3141131\\ImagePath\r\nHKLM\\System\\CurrentControlSet\\Services\\af5ff02\\ImagePath\r\nHKLM\\System\\CurrentControlSet\\Services\\c46234f\\ImagePath\r\nfirst calls to create the service remotely, then starts it with StartServiceA function:\r\nRDP/interactive Logins\r\nIncrease the max RDP connections allowed, in this case a arbitrarily large number.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /t REG_DWORD /v \"MaxInsta\r\nMakes sure the RDP listener is enabled.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /t REG_DWORD /v \"fEnableW\r\nMakes sure the user is allowed to RDP to the terminal server.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /t REG_DWORD /v \"TSUserEnabled\" /d 0 /f\r\nMakes sure the terminal server is set to enabled.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /t REG_DWORD /v \"TSEnabled\" /d 1 /f\r\nMakes sure terminal services is set to remote admin mode.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /t REG_DWORD /v \"TSAppCompat\" /d 0 /f\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 13 of 22\n\nMakes sure that the terminal service will start idle sessions.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /t REG_DWORD /v \"IdleWinStationPoolCount\" /d 1\r\nEnables advertisement of the terminal server.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /t REG_DWORD /v \"TSAdvertise\" /d 1 /f\r\nMakes sure terminal server is set to allow connections.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /t REG_DWORD /v \"AllowTSConnections\" /d 1 /f\r\nMakes sure terminal server is set to simultaneous sessions.\r\nREG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core\" /t REG_DWORD /v \"EnableConcurren\r\nMakes sure multiple sessions are allowed.\r\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /t REG_DWORD /v \"fSingleSessionPerUser\" /d 0 /\r\nStarts the terminal services and sets service to autostart.\r\nsc config termservice start= auto\r\nnet start termservice /y\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 14 of 22\n\nLogName=Security\r\nEventCode=4624\r\nLogon Type=10 (Remote Interactive Logon - RDP)\r\nNamed pipe (SMB)\r\nThe base64 encoded payload can be decoded using this Cyberchef recipe (shout out @0xtornado) which represents a SMB\r\nbeacon that creates the named pipe “dce_3d”.\r\nLogName=Microsoft-Windows-System/Operational\r\nEventCode=17\r\nTaskCategory=Pipe Created (rule: PipeEvent)\r\nCommand and Control\r\nQBot details – 24.229.150.54 // 41.228.22.180\r\n24.229.150[.]54:995 / avlhestito[.]us\r\nCertificate: 25:a6:ef:79:48:98:54:ee:bb:a6:bd:10:ee:c1:f2:0a:00:ad:ac:ce\r\nNot Before 2021/11/15 09:24:49 UTC\r\nNot After 2022/11/15 13:18:32 UTC\r\nIssuer Org Rsc Inpye LLC.\r\nSubject Common avlhestito[.]us\r\nPublic Algorithm rsaEncryption\r\nJA3: c35a61411ee5bdf666b4d64b05c29e64\r\nJA3s: 7c02dbae662670040c7af9bd15fb7e2f\r\n41.228.22[.]180:443 / xrhm[.]info\r\nCertificate: 96:39:a9:52:e9:9a:1e:29:c5:dc:b3:72:01:29:74:c4:87:db:15:d7\r\nNot Before: 2021/11/12 04:34:10 UTC\r\nNot After: 2022/11/12 10:08:57 UTC\r\nIssuer Org: Bqatra Bamito Inc.\r\nSubject Common: xrhm[.]info\r\nPublic Algorithm: rsaEncryption\r\nJA3: c35a61411ee5bdf666b4d64b05c29e64\r\nJA3s: 7c02dbae662670040c7af9bd15fb7e2f\r\nHere is the initial access DLL (Qbot) information from Tria.ge\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 15 of 22\n\nCobalt Strike details – 5.255.98[.]144\r\nThis Cobalt Strike server was added to our Threat Feed on 2021-11-16.\r\n5.255.98.144:8888 / 5.255.98.144:443 / 5.255.98.144:8080 / dxabt[.]com\r\nCertificate: [25:fe:be:6d:0e:8d:48:5a:94:cf:46:84:d7:7e:ff:bf:47:aa:04:5c ]\r\nNot Before: 2021/11/07 03:00:53 UTC\r\nNot After: 2022/02/05 03:00:52 UTC\r\nIssuer Org: Let's Encrypt\r\nSubject Common: dxabt[.]com [dxabt[.]com,ns1.dxabt[.]com,ns2.dxabt[.]com,ns3.dxabt[.]com,ns4.dxabt[.]com\r\nPublic Algorithm: rsaEncryption\r\nJA3: 0eecb7b1551fba4ec03851810d31743f\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nConfig:\r\n{\r\n \"x64\": {\r\n \"uri_queried\": \"/tRPG\",\r\n \"sha256\": \"dec25fc2fe7e76fe191fbfdf48588c4325f52bfe2769fbc88a5614541c1075eb\",\r\n \"config\": {\r\n \"HTTP Method Path 2\": \"/faq\",\r\n \"Jitter\": 79,\r\n \"C2 Server\": \"dxabt[.]com,/case\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n \"Method 1\": \"GET\",\r\n \"C2 Host Header\": \"\",\r\n \"Method 2\": \"POST\",\r\n \"Watermark\": 426352781,\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"Port\": 443,\r\n \"Polling\": 53988\r\n },\r\n \"time\": 1637416040175.3,\r\n \"md5\": \"30cc71d5b5d7778774c54486558690d3\",\r\n \"sha1\": \"5f36c6cffdbae0d631c8889b4d9bad1248f899b3\"\r\n },\r\n \"x86\": {\r\n \"uri_queried\": \"/Mr0m\",\r\n \"sha256\": \"a992d57b2f6164e599952ea3c245962824ad17166684ed45e987efe80ebe611f\",\r\n \"config\": {\r\n \"HTTP Method Path 2\": \"/faq\",\r\n \"Jitter\": 79,\r\n \"C2 Server\": \"dxabt[.]com,/case\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n \"Method 1\": \"GET\",\r\n \"C2 Host Header\": \"\",\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 16 of 22\n\n\"Method 2\": \"POST\",\r\n \"Watermark\": 426352781,\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"Port\": 443,\r\n \"Polling\": 53988\r\n },\r\n \"time\": 1637416038974.9,\r\n \"md5\": \"c1fd49c043894c1dff8bc02b17f8942c\",\r\n \"sha1\": \"e915f74be310b1687db6b290af2f78583a981512\"\r\n }\r\n}\r\nExfiltration\r\nWhile the threat actors were active in the environment, we received 3 different alerts stating that someone had opened\r\ncanary documents from the IP address 91.193.182[.]165. These alerts tell us that data was indeed exfiltrated from the\r\nenvironment.\r\nThe threat actors were most interested in files concerning financial statements, ransomware reports, and salary data.\r\nThe C2 channel was encrypted and multiple connections were established with the internal file server. No other traffic was\r\nobserved for possible exfiltration leading us to the conclusion that the command and control channel was used for the\r\nexfiltration.\r\nAt 17:35 UTC, the Cobalt Strike Beacon was deployed on the File Server.\r\nSpike in traffic from file share server to Cobalt Strike command and control server.\r\nIOCs\r\nNetwork\r\nQBOT\r\n24.229.150[.]54:995 - avlhestito[.]us\r\n41.228.22[.]180:443 - xrhm[.]info\r\nCobalt Strike\r\n5.255.98[.]144:8888 / dxabt[.]com\r\n5.255.98[.]144:443 / dxabt[.]com\r\n5.255.98[.]144:8080 / dxabt[.]com\r\nIntial Exec Qbot DLL\r\nMD5:53510e20efb161d5b71c4ce2800c1a8d\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 17 of 22\n\nSHA1:2268178851d0d0debb9ab457d73af8a5e50af168\r\nSHA2:e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987\r\nQBot DLL (extracted from registry):\r\nMD5:312e52b4109741893f17bc524084100f\r\nSHA1:7ca650945223eab088f43fd472e3592be2ed9d32\r\nSHA2:4d3b10b338912e7e1cbade226a1e344b2b4aebc1aa2297ce495e27b2b0b5c92b\r\ncool.exe\r\nMD5:59E7F22D2C290336826700F05531BD30\r\nSHA1:3B2A0D2CB8993764A042E8E6A89CBBF8A29D47D1\r\nSHA256:F63E17FF2D3CFE75CF3BB9CF644A2A00E50AAFFE45C1ADF2DE02D5BD0AE35B0\r\nDetections\r\nNetwork\r\nET POLICY Powershell Activity Over SMB - Likely Lateral Movement\r\nET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET CNC Feodo Tracker Reported CnC Server group 15\r\nET CNC Feodo Tracker Reported CnC Server group 16\r\nThe following rules may cause performance issues (and are disabled by default) according to @ET_Labs\r\nET EXPLOIT Possible Zerologon NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472) - 2030870\r\nET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472) 2030871\r\nET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) UUID flowbit set - 2030888\r\nET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2 - 2030889\r\nNew signatures thanks to @ET_Labs!\r\n2035258 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign\r\n2035259 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign\r\n2035260 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign\r\n2035261 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign\r\n2035262 - ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)\r\n2035263 - ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CV\r\nSigma\r\ntitle: Scheduled task executing powershell encoded payload from registry\r\nstatus: Experimental\r\ndescription: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Re\r\nauthor: @Kostastsale, @TheDFIRReport\r\nreferences:\r\n - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\ndate: 2022/02/12\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection1:\r\n Image|endswith: '\\schtasks.exe'\r\n CommandLine|contains|all:\r\n - '/Create'\r\n - '/SC'\r\n selection2:\r\n CommandLine|contains|all:\r\n - 'FromBase64String'\r\n - 'powershell'\r\n - 'Get-ItemProperty'\r\n - 'HKCU:'\r\n condition: selection1 and selection2\r\nfalsepositives:\r\n - Uknown\r\nlevel: high\r\ntags:\r\n - attack.execution\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 18 of 22\n\n- attack.persistence\r\n - attack.t1053.005\r\n - attack.t1059.001\r\ntitle: Execution of ZeroLogon PoC executable\r\nstatus: Experimental\r\ndescription: Detects the execution of the commonly used ZeroLogon PoC executable.\r\nauthor: @Kostastsale, @TheDFIRReport\r\nreferences:\r\n - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\n - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\ndate: 2022/02/12\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection1:\r\n ParentImage|endswith:\r\n - '\\cmd.exe'\r\n Image|endswith:\r\n - '\\cool.exe'\r\n - '\\zero.exe'\r\n CommandLine|contains|all:\r\n - 'Administrator'\r\n - '-c'\r\n selection2:\r\n CommandLine|contains|all:\r\n - 'taskkill'\r\n - '/f'\r\n - '/im'\r\n selection3:\r\n CommandLine|contains:\r\n - 'powershell'\r\n condition: selection1 and (selection2 or selection3)\r\nfalsepositives:\r\n - Uknown\r\nlevel: high\r\ntags:\r\n - attack.execution\r\n - attack.lateral_movement\r\n - attack.T1210\r\ntitle: Enabling RDP service via reg.exe command execution\r\nstatus: Experimental\r\ndescription: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service o\r\nauthor: @Kostastsale, @TheDFIRReport\r\nreferences:\r\n - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\ndate: 2022/02/12\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n selection1:\r\n Image|endswith:\r\n - '\\reg.exe'\r\n CommandLine|contains|all:\r\n - 'add'\r\n - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server'\r\n - 'REG_DWORD'\r\n Winstations1:\r\n CommandLine|contains:\r\n - 'WinStations\\RDP-Tcp'\r\n Winstations2:\r\n CommandLine|contains:\r\n - 'MaxInstanceCount'\r\n - 'fEnableWinStation'\r\n selection2:\r\n CommandLine|contains|all:\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 19 of 22\n\n- 'Licensing Core'\r\n - 'EnableConcurrentSessions'\r\n selection3:\r\n CommandLine|contains:\r\n - 'TSUserEnabled'\r\n - 'TSEnabled'\r\n - 'TSAppCompat'\r\n - 'IdleWinStationPoolCount'\r\n - 'TSAdvertise'\r\n - 'AllowTSConnections'\r\n - 'fSingleSessionPerUser'\r\n condition: selection1 and ((Winstations1 and Winstations2) or (selection2 or selection3))\r\nfalsepositives:\r\n - Uknown\r\nlevel: high\r\ntags:\r\n - attack.defense_evasion\r\n - attack.lateral_movement\r\n - attack.t1021.001\r\n - attack.t1112\r\nhttps://github.com/SigmaHQ/sigma/blob/a502f316efdcc8c174b7cf412029dfae5b3552c8/rules/windows/builtin/security/win_pass_the_hash_2.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_powers\r\nhttps://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_cobaltst\r\nhttps://github.com/SigmaHQ/sigma/blob/33b370d49bd6aed85bd23827aa16a50bd06d691a/rules/windows/process_creation/proc_creation_win_sus\r\nhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process_creation/proc_creation_win_scht\r\nhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process_creation/proc_creation_win_nltes\r\nhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process_creation/proc_creation_win_susp\r\nYara\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2022-02-20\r\n Identifier: Case 8734\r\n Reference: https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule qbot_8734_payload_dll {\r\n meta:\r\n description = \"files - file e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-20\"\r\n hash1 = \"e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987\"\r\n strings:\r\n $s1 = \"Terfrtghygine.dll\" fullword ascii\r\n $s2 = \"Winamp can read extended metadata for titles. Choose when this happens:\" fullword wide /* Goodwar\r\n $s3 = \"Read metadata when file(s) are loaded into Winamp\" fullword wide /* Goodware String - occured 1 t\r\n $s4 = \"Use advanced title formatting when possible\" fullword wide /* Goodware String - occured 1 times *\r\n $s5 = \"PQVW=!?\" fullword ascii\r\n $s6 = \"Show underscores in titles as spaces\" fullword wide /* Goodware String - occured 1 times */\r\n $s7 = \"Advanced title display format :\" fullword wide /* Goodware String - occured 1 times */\r\n $s8 = \"CreatePaint\" fullword ascii\r\n $s9 = \"PQRVW=2\\\"\" fullword ascii\r\n $s10 = \"Advanced Title Formatting\" fullword wide /* Goodware String - occured 1 times */\r\n $s11 = \"Read metadata when file(s) are played or viewed in the playlist editor\" fullword wide /* Goodwar\r\n $s12 = \"Show '%20's in titles as spaces\" fullword wide /* Goodware String - occured 1 times */\r\n $s13 = \"Example : \\\"%artist% - %title%\\\"\" fullword wide /* Goodware String - occured 1 times */\r\n $s14 = \"PQRVW=g\" fullword ascii\r\n $s15 = \"PQRW=e!\" fullword ascii\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 20 of 22\n\n$s16 = \"ATF Help\" fullword wide /* Goodware String - occured 1 times */\r\n $s17 = \"(this can be slow if a large number of files are added at once)\" fullword wide /* Goodware Strin\r\n $s18 = \"PQRVW=$\" fullword ascii\r\n $s19 = \"Metadata Reading\" fullword wide /* Goodware String - occured 1 times */\r\n $s20 = \"Other field names: %artist%, %album%, %title%, %track%, %year%, %genre%, %comment%, %filename%,\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n ( pe.imphash() == \"aa8a9db10fba890f8ef9edac427eab82\" and pe.exports(\"CreatePaint\") or 8 of them )\r\n}\r\nrule qbot_dll_8734 {\r\n meta:\r\n description = \"files - qbot.dll\"\r\n author = \"TheDFIRReport\"\r\n reference = \"QBOT_DLL\"\r\n date = \"2021-12-04\"\r\n hash1 = \"4d3b10b338912e7e1cbade226a1e344b2b4aebc1aa2297ce495e27b2b0b5c92b\"\r\n strings:\r\n $s1 = \"Execute not supported: %sfField '%s' is not the correct type of calculated field to be used in an\r\n $s2 = \"IDAPI32.DLL\" fullword ascii\r\n $s3 = \"ResetUsageDataActnExecute\" fullword ascii\r\n $s4 = \"idapi32.DLL\" fullword ascii\r\n $s5 = \"ShowHintsActnExecute\" fullword ascii\r\n $s6 = \"OnExecute@iG\" fullword ascii\r\n $s7 = \"OnExecutexnD\" fullword ascii\r\n $s8 = \"ShowShortCutsInTipsActnExecute\" fullword ascii\r\n $s9 = \"ResetActnExecute \" fullword ascii\r\n $s10 = \"RecentlyUsedActnExecute\" fullword ascii\r\n $s11 = \"LargeIconsActnExecute\" fullword ascii\r\n $s12 = \"ResetActnExecute\" fullword ascii\r\n $s13 = \"OnExecute\u003c\" fullword ascii\r\n $s14 = \"TLOGINDIALOG\" fullword wide\r\n $s15 = \"%s%s:\\\"%s\\\";\" fullword ascii\r\n $s16 = \":\\\":\u0026:7:?:C:\\\\:\" fullword ascii /* hex encoded string '|' */\r\n $s17 = \"LoginPrompt\" fullword ascii\r\n $s18 = \"TLoginDialog\" fullword ascii\r\n $s19 = \"OnLogin\" fullword ascii\r\n $s20 = \"Database Login\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 3000KB and\r\n 8 of the\r\nMITRE\r\nExploitation for Privilege Escalation – T1068\r\nService Execution – T1569.002\r\nNetwork Share Discovery – T1135\r\nPass the Hash – T1550.002\r\nPowerShell – T1059.001\r\nWindows Command Shell – T1059.003\r\nNetwork Share Discovery – T1135\r\nObfuscated Files or Information – T1027\r\nScheduled Task – T1053.005\r\nProcess Injection – T1055\r\nRemote System Discovery – T1018\r\nObfuscated Files or Information – T1027\r\nDomain Trust Discovery – T1482\r\nDomain Groups – T1069.002\r\nSystem Owner/User Discovery – T1033\r\nNetwork Share Discovery – T1135\r\nRemote Services – T1021\r\nLocal Account – T1087.001\r\nSecurity Software Discovery – T1518.001\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 21 of 22\n\nInternal case 8734\r\nSource: https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/"
	],
	"report_names": [
		"qbot-and-zerologon-lead-to-full-domain-compromise"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434091,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f2ff67f3e384e7900fd3e22ba239b1abb2cb525.pdf",
		"text": "https://archive.orkl.eu/4f2ff67f3e384e7900fd3e22ba239b1abb2cb525.txt",
		"img": "https://archive.orkl.eu/4f2ff67f3e384e7900fd3e22ba239b1abb2cb525.jpg"
	}
}