LemonDuck malware may establish a structured component download mechanism to exfiltrate data or deploy additional payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate LemonDuck botnet activity before it leads to data exfiltration or cryptocurrency mining operations.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has_all("echo","tmp+",".bin","gmd5","downloaddata","down_url")
id: 036bf8d8-954c-467a-8573-76f0fce614ff
name: LemonDuck-component-download-structure
description: |
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense evasion
- Command and control
- Impact
- Malware, component
query: |
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has_all("echo","tmp+",".bin","gmd5","downloaddata","down_url")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via SCCM
Description: A system administrator uses Microsoft System Center Configuration Manager (SCCM) to deploy a legitimate software update that includes a component with a similar file name or structure to LemonDuck.
Filter/Exclusion: Check for process.parent_process_name == "msiexec.exe" or process.parent_process_name == "setup.exe" and verify the file hash against known good hashes from Microsoft.
Scenario: Scheduled Job for Backup Tool Execution
Description: A backup tool like Veeam or Acronis runs a scheduled job that downloads a component file to a temporary directory as part of its backup process.
Filter/Exclusion: Filter by process.name == "veeam.exe" or process.name == "acronisbackup.exe" and check the file path against known temporary directories used by the backup tool.
Scenario: Admin Task Using PowerShell for System Maintenance
Description: An administrator uses PowerShell to download a component file as part of a system maintenance task, such as patching or configuration management.
Filter/Exclusion: Filter by process.name == "powershell.exe" and check for the presence of a known admin task or script in the command line arguments.
Scenario: Third-Party Tool for Dependency Management
Description: A third-party tool like Chocolatey or Scoop is used to download a component file as part of dependency resolution during package installation.
Filter/Exclusion: Check for process.name == "choco.exe" or process.name == "scoop.sh" and verify the file source against trusted repositories.
Scenario: Internal Development Tool for Code Deployment
Description: An internal development tool, such as Jenkins or GitLab CI, downloads a component file as part of a continuous integration/continuous deployment (CI/CD) pipeline.