Rule : Peaklight Masquerading with PowerShell and Media Player files
Peaklightinfection
Query
DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where FileName in ("setup_wm.exe", "wmplayer.exe", "Microsoft.Media.Player.exe")
or (ProcessCommandLine contains "appdata" and ProcessCommandLine contains ".mp4")About this query
Explanation
This query is designed to detect suspicious activity that may indicate the presence of the Peaklight malware, which uses stealthy techniques to avoid detection. Here's a simplified summary:
What the Query Does:
- Purpose: Identifies instances where PowerShell is used in conjunction with media player files or
.mp4files in theappdatadirectory, which is a behavior associated with the Peaklight malware. - Why: Peaklight malware operates entirely in memory and uses trusted system processes to appear legitimate, making it hard to detect. It often masquerades as media playback activity to evade traditional security defenses.
How the Query Works:
- Monitors Process Events: Specifically looks at
DeviceProcessEvents. - Checks for PowerShell Execution: Filters events where the initiating process is
powershell.exe. - Looks for Media Player Files: Further filters events where the file being executed is either
setup_wm.exe,wmplayer.exe, orMicrosoft.Media.Player.exe. - Checks Command Line for Specific Patterns: Also filters events where the command line contains both
appdataand.mp4.
Tags:
- Process Events: Focuses on events related to process execution.
- Masquerading: Identifies attempts to disguise malicious activity as legitimate processes.
- PowerShell: Involves the use of PowerShell, a common tool for both legitimate and malicious activities.
- Memory-Only Malware: Targets malware that operates entirely in memory.
- Defense Evasion: Aims to catch techniques used to evade security measures.
- Suspicious Activity: Flags potentially harmful behavior.
Search Query in KQL:
DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where FileName in ("setup_wm.exe", "wmplayer.exe", "Microsoft.Media.Player.exe")
or (ProcessCommandLine contains "appdata" and ProcessCommandLine contains ".mp4")
Summary:
This query helps security teams detect and block potential malware activity that disguises itself as media player usage, leveraging PowerShell to execute malicious code without writing files to disk.
