KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Lumma Stealer Commands

Query

**Detecting Lumma Stealer commands**

One of the techniques used to distribute the Lumma Stealer malware is via command lines using the native Windows application mshta which is an HTML tool for executing scripts. This KQL Query helps to identify commands that use the aforementioned application and also those that use the
application and also those that use powershell and encode the malicious code in base64.

```
DeviceFileEvents
| extend CommandWords = split(InitiatingProcessCommandLine, " ") // Split the command into words
| extend Word1 = CommandWords[0], // First word
 Word2 = CommandWords[1], // Second word
 Word3 = CommandWords[2], // Third word
 Word4 = CommandWords[3], // Fourth word
 Word5 = CommandWords[4] 
| extend LongestWord = case(
 strlen(Word1) >= strlen(Word2) and strlen(Word1) >= strlen(Word3) and strlen(Word1) >= strlen(Word4) and strlen(Word1) >= strlen(Word5), Word1,
 strlen(Word2) >= strlen(Word1) and strlen(Word2) >= strlen(Word3) and strlen(Word2) >= strlen(Word4) and strlen(Word2) >= strlen(Word5), Word2,
 strlen(Word3) >= strlen(Word1) and strlen(Word3) >= strlen(Word2) and strlen(Word3) >= strlen(Word4) and strlen(Word3) >= strlen(Word5), Word3,
 strlen(Word4) >= strlen(Word1) and strlen(Word4) >= strlen(Word2) and strlen(Word4) >= strlen(Word3) and strlen(Word4) >= strlen(Word5), Word4,
 Word5 // Default case if Column5 is the longest
)
| extend tostring(LongestWord)
| extend DecodedBytes = base64_decode_tostring(LongestWord)
| extend DecodedString = tostring(DecodedBytes)
| where DecodedString contains "mshta" or InitiatingProcessCommandLine contains "mshta"
| distinct DeviceName,InitiatingProcessCommandLine,LongestWord,DecodedString
```

Explanation

This KQL query is designed to detect potential Lumma Stealer malware activity by examining command lines executed on devices. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at DeviceFileEvents, which contains information about file-related activities on devices.

  2. Command Line Analysis:

    • It splits the command line used to initiate a process into individual words.
    • It identifies the first five words from the command line for further analysis.

  3. Longest Word Identification:

    • Among the first five words, it determines which word is the longest.

  4. Base64 Decoding:

    • It attempts to decode the longest word as a Base64 string, converting it into readable text.

  5. Malware Detection:

    • It checks if the decoded string or the original command line contains the term "mshta", which is a Windows tool often used to execute scripts and can be exploited by malware like Lumma Stealer.

  6. Result Filtering:

    • It filters the results to show only distinct entries, displaying the device name, the original command line, the longest word, and the decoded string.

In summary, this query helps identify suspicious command lines that might be associated with the Lumma Stealer malware, specifically looking for the use of "mshta" and potentially encoded malicious scripts.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 14, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsCommandLineProcessName

Operators

extendsplitcasestrlentostringbase64_decode_tostringwherecontainsordistinct

Actions