Pure Malware Family Behavior Detection
Query
let PureCoderLNK = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".LNK"
| project LnkTimestamp = Timestamp, LnkFileName = FileName, LnkSHA1 = SHA1, DeviceId; // Renamed 'LnkTimestamp' for the subsequent join
DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_all ("$env:TEMP", "ActiveXObject") or (ProcessCommandLine has_all ("split", "reverse") and ProcessCommandLine has "join")
| project ProcessTimestamp = Timestamp, ProcessCommandLine, ProcessFileName = FileName, DeviceId, DeviceName, ReportId, SHA1 // Renamed 'ProcessTimestamp' and projected required columns
// Join with the LNK events:
| join kind=inner (
PureCoderLNK
) on DeviceId // First join on the device (DeviceId)
| where LnkTimestamp >= ProcessTimestamp and LnkTimestamp < (ProcessTimestamp + 5m) // Time window: LNK creation within 5 minutes after the process
| project Timestamp = ProcessTimestamp, LnkTimestamp, TimeDifference = LnkTimestamp - ProcessTimestamp, DeviceName, ProcessCommandLine, LnkFileName, SHA1, DeviceId, ReportIdAbout this query
Explanation
This query is designed to detect suspicious behavior associated with the Pure malware family, specifically focusing on the use of PowerShell commands that may indicate malicious activity. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify potential malware activity by detecting the execution of obfuscated PowerShell commands that are often used in attacks, particularly those associated with the Pure malware family.
-
Techniques Used: It looks for specific MITRE ATT&CK techniques:
- T1059.001: Use of PowerShell for executing commands.
- T1204.001: Execution of malicious links.
-
Detection Criteria:
- The query searches for PowerShell processes (
powershell.exeorpwsh.exe) that include certain suspicious patterns in their command lines, such as:- References to environment variables (
$env:TEMP). - Use of
ActiveXObject. - A combination of string operations like
split,reverse, andjoin.
- References to environment variables (
- It also checks for the creation of
.LNKfiles (shortcut files) shortly after these PowerShell commands are executed, suggesting that the.LNKfile might be used to trigger the PowerShell command.
- The query searches for PowerShell processes (
-
Process:
- The query first identifies
.LNKfile creation events. - It then identifies PowerShell execution events with the suspicious patterns.
- These two sets of events are joined based on the device ID, ensuring that the
.LNKfile creation occurs within five minutes after the PowerShell command execution.
- The query first identifies
-
Output: The query provides a list of events showing the timestamp of the PowerShell execution, the creation of the
.LNKfile, the time difference between these events, and other relevant details like the device name and command line used.
Overall, this query helps security analysts detect and investigate potential malware activity by identifying patterns typical of the Pure malware family.
