From 82e38df177a83df68da80429fd6e004784d0513b Mon Sep 17 00:00:00 2001
From: ionsor <93973834+ionsor@users.noreply.github.com>
Date: Tue, 9 Nov 2021 09:26:57 +0100
Subject: [PATCH] Update qakbot-campaign-process-injection.md

Corrected the query to the one corresponding to the process injection, previous published one was for cookie and browsing history theft.
---
 Defense evasion/qakbot-campaign-process-injection.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/Defense evasion/qakbot-campaign-process-injection.md b/Defense evasion/qakbot-campaign-process-injection.md
index 0b27b320..7ae2a97f 100644
--- a/Defense evasion/qakbot-campaign-process-injection.md	
+++ b/Defense evasion/qakbot-campaign-process-injection.md	
@@ -9,12 +9,10 @@ The following query detects if Qakbot has injected code into the *ping.exe* proc
 ## Query
 
 ```Kusto
-DeviceProcessEvents
-| where FileName == "esentutl.exe"
-| where ProcessCommandLine has "WebCache"
-| where ProcessCommandLine has_any ("V01", "/s", "/d")
-| project ProcessCommandLine, InitiatingProcessParentFileName, 
-DeviceId, Timestamp
+DeviceImageLoadEvents
+| where InitiatingProcessFileName =~ "ping.exe"
+| where FileName =~ "vaultcli.dll"
+| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, DeviceId, Timestamp
 ```
 
 ## Category