Query Details

Rule : Peaklight Masquerading with PowerShell and Media Player files

Peaklightinfection

Query

DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"  
| where FileName in ("setup_wm.exe", "wmplayer.exe", "Microsoft.Media.Player.exe")
   or (ProcessCommandLine contains "appdata" and ProcessCommandLine contains ".mp4")

About this query

Explanation

This query is designed to detect suspicious activity that may indicate the presence of the Peaklight malware, which uses stealthy techniques to avoid detection. Here's a simplified summary:

What the Query Does:

  • Purpose: Identifies instances where PowerShell is used in conjunction with media player files or .mp4 files in the appdata directory, which is a behavior associated with the Peaklight malware.
  • Why: Peaklight malware operates entirely in memory and uses trusted system processes to appear legitimate, making it hard to detect. It often masquerades as media playback activity to evade traditional security defenses.

How the Query Works:

  1. Monitors Process Events: Specifically looks at DeviceProcessEvents.
  2. Checks for PowerShell Execution: Filters events where the initiating process is powershell.exe.
  3. Looks for Media Player Files: Further filters events where the file being executed is either setup_wm.exe, wmplayer.exe, or Microsoft.Media.Player.exe.
  4. Checks Command Line for Specific Patterns: Also filters events where the command line contains both appdata and .mp4.

Tags:

  • Process Events: Focuses on events related to process execution.
  • Masquerading: Identifies attempts to disguise malicious activity as legitimate processes.
  • PowerShell: Involves the use of PowerShell, a common tool for both legitimate and malicious activities.
  • Memory-Only Malware: Targets malware that operates entirely in memory.
  • Defense Evasion: Aims to catch techniques used to evade security measures.
  • Suspicious Activity: Flags potentially harmful behavior.

Search Query in KQL:

DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"  
| where FileName in ("setup_wm.exe", "wmplayer.exe", "Microsoft.Media.Player.exe")
   or (ProcessCommandLine contains "appdata" and ProcessCommandLine contains ".mp4")

Summary:

This query helps security teams detect and block potential malware activity that disguises itself as media player usage, leveraging PowerShell to execute malicious code without writing files to disk.

Details

Ali Hussein profile picture

Ali Hussein

Released: August 25, 2024

Tables

DeviceProcessEvents

Keywords

DevicesProcessEventsMasqueradingPowerShellMemoryOnlyMalwareDefenseEvasionSuspiciousActivity

Operators

==inorcontainsand.

MITRE Techniques

Actions

GitHub