KQL Search

Query Details

HomeAI ToolsDevice Query

Pure Malware Family Behavior Detection

Query

# *Pure malware family Behavior Detection*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ |
| T1204.001 | User Execution: Malicious Link/ | https://attack.mitre.org/tactics/TA1204/001/ |

#### Description
Checkpoint Researchers published an Article with a Behavior Analysis of the Pure Malware Family. This Query is based on the Analysis of the Researchers. thx to Checkpoint. (https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)

This rule detects the execution of PowerShell (powershell.exe or pwsh.exe) that contains obfuscated commands, specifically looking for the presence of '$env:TEMP' and 'ActiveXObject' or a combination of 'split', 'reverse', and 'join' in the command line. This PowerShell execution is correlated with the creation of a .LNK file after to the PowerShell process start, suggesting the LNK file might be used as an initial execution vector for the obfuscated PowerShell command. This pattern is indicative of malware like PureCoder.

#### Risk
ClickFix Attack Detection Pure Malware Family

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/

## Defender XDR
```KQL
let PureCoderLNK = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".LNK"
| project LnkTimestamp = Timestamp, LnkFileName = FileName, LnkSHA1 = SHA1, DeviceId; // Renamed 'LnkTimestamp' for the subsequent join
DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_all ("$env:TEMP", "ActiveXObject") or (ProcessCommandLine has_all ("split", "reverse") and ProcessCommandLine has "join")
| project ProcessTimestamp = Timestamp, ProcessCommandLine, ProcessFileName = FileName, DeviceId, DeviceName, ReportId, SHA1 // Renamed 'ProcessTimestamp' and projected required columns
// Join with the LNK events:
| join kind=inner (
    PureCoderLNK
) on DeviceId // First join on the device (DeviceId)
| where LnkTimestamp >= ProcessTimestamp and LnkTimestamp < (ProcessTimestamp + 5m) // Time window: LNK creation within 5 minutes after the process
| project Timestamp = ProcessTimestamp, LnkTimestamp, TimeDifference = LnkTimestamp - ProcessTimestamp, DeviceName, ProcessCommandLine, LnkFileName, SHA1,  DeviceId, ReportId
```

Explanation

This query is designed to detect suspicious behavior associated with the Pure malware family, specifically focusing on the use of PowerShell commands that may indicate malicious activity. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify potential malware activity by detecting the execution of obfuscated PowerShell commands that are often used in attacks, particularly those associated with the Pure malware family.

  2. Techniques Used: It looks for specific MITRE ATT&CK techniques:

    • T1059.001: Use of PowerShell for executing commands.
    • T1204.001: Execution of malicious links.

  3. Detection Criteria:

    • The query searches for PowerShell processes (powershell.exe or pwsh.exe) that include certain suspicious patterns in their command lines, such as:
      • References to environment variables ($env:TEMP).
      • Use of ActiveXObject.
      • A combination of string operations like split, reverse, and join.
    • It also checks for the creation of .LNK files (shortcut files) shortly after these PowerShell commands are executed, suggesting that the .LNK file might be used to trigger the PowerShell command.

  4. Process:

    • The query first identifies .LNK file creation events.
    • It then identifies PowerShell execution events with the suspicious patterns.
    • These two sets of events are joined based on the device ID, ensuring that the .LNK file creation occurs within five minutes after the PowerShell command execution.

  5. Output: The query provides a list of events showing the timestamp of the PowerShell execution, the creation of the .LNK file, the time difference between these events, and other relevant details like the device name and command line used.

Overall, this query helps security analysts detect and investigate potential malware activity by identifying patterns typical of the Pure malware family.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 9, 2025

Tables

DeviceFileEventsDeviceProcessEvents

Keywords

Devices

Operators

let|where==endswithprojectinhas_allhasorandjoinkind=inneron>=<+-

Actions