LemonDuck-competition-killer detects potential adversary behavior where an attacker is using LemonDuck malware to disrupt or disable competing cryptocurrency mining operations on a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise resource usage and network integrity.
KQL Query
DeviceProcessEvents
| where ProcessCommandLine has_all("schtasks.exe","/Delete","/TN","/F")
| summarize make_set(ProcessCommandLine) by DeviceId
| extend DeleteVolume = array_length(set_ProcessCommandLine)
| where set_ProcessCommandLine has_any("Mysa","Sorry","Oracle Java Update","ok")
| where DeleteVolume >= 40 and DeleteVolume <= 80
id: 9f6b9f77-0183-4d5b-89a3-761d308cbfad
name: LemonDuck-competition-killer
description: |
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Persistence
- Defense evasion
- Impact
- Malware, component
query: |
DeviceProcessEvents
| where ProcessCommandLine has_all("schtasks.exe","/Delete","/TN","/F")
| summarize make_set(ProcessCommandLine) by DeviceId
| extend DeleteVolume = array_length(set_ProcessCommandLine)
| where set_ProcessCommandLine has_any("Mysa","Sorry","Oracle Java Update","ok")
| where DeleteVolume >= 40 and DeleteVolume <= 80
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running via Task Scheduler to perform system cleanup or disk defragmentation may trigger the rule due to similar command-line execution patterns.
Filter/Exclusion: Check for CommandLine containing schtasks.exe or Task Scheduler and exclude tasks with known benign command-line arguments.
Scenario: Admin Performing Remote PowerShell Execution
Description: An administrator using PowerShell remoting (Invoke-Command) to execute scripts on remote systems may be flagged due to similar process creation and command-line patterns.
Filter/Exclusion: Filter out processes where ProcessName is powershell.exe and ParentProcessName is winrm.exe or mstsc.exe.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus tool like Kaspersky, Bitdefender, or Malwarebytes may trigger the rule during a full system scan due to similar process creation and file access behaviors.
Filter/Exclusion: Exclude processes where ProcessName matches known AV tools or where ParentProcessName is msmpeng.exe (Microsoft Malware Protection Engine).
Scenario: Database Backup Job via SQL Agent
Description: A SQL Server Agent job running a backup script may be flagged due to similar command-line execution and file access patterns.
Filter/Exclusion: Filter out processes where ProcessName is sqlservr.exe and CommandLine contains sqlcmd or backup commands.
Scenario: User-Initiated File Compression or Archiving
Description: A user running a tool like 7-Zip or WinRAR to compress files may trigger the rule due to similar file access and process creation behavior.
Filter/Exclusion: Exclude