Query Details
Hanada Group Crowdstrike Impersonation Detection
Query
//This query detects activity from Hanada group malware impersonating Crowdstrike updates
//Looks for attempts to identify installed antiviruses and create specific files/folders
DeviceProcessEvents
| where ProcessCommandLine has_any("avastui.exe","avgui.exe","bdservicehost.exe","nswscsvc.exe","sophoshealth.exe","Carroll Carroll","champion.pif",@"564784\L","locatedflattrendsoperating") Explanation
This query is designed to identify suspicious activity on devices that might be linked to malware from the Hanada group, which is known for pretending to be updates from Crowdstrike, a cybersecurity company. Specifically, the query looks for processes that are trying to detect installed antivirus software or create certain files or folders. It does this by searching for specific keywords or file names in the command line of processes running on the device. If any of these keywords are found, it suggests that there might be malicious activity related to the Hanada group's malware.
Details
Jay Kerai
Released: November 10, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsProcessCommandLine
Operators
has_anywhere|