LemonDuck-component-names

Hunt Hypothesis

LemonDuck-component-names detects potential LemonDuck malware activity through the use of specific component names associated with its infrastructure, indicating possible botnet or cryptocurrency mining operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate LemonDuck infections before they lead to data exfiltration or resource exhaustion.

KQL Query

DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has_any("kr.bin","if.bin","m6.bin")

Analytic Rule Definition

id: bcb5f147-863a-4972-aec9-48f67cc24727
name: LemonDuck-component-names
description: |
  LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
- Persistence
- Lateral movement
- Impact
- Vulnerability
- Malware, component
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "cmd.exe"
  | where InitiatingProcessCommandLine has_any("kr.bin","if.bin","m6.bin")

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Persistence
Tactic: Lateral movement
Tactic: Impact
Tactic: Vulnerability
Tactic: Malware, component

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-component-names.yaml)

False Positive Guidance

Scenario: Legitimate Scheduled Job for System Maintenance
Description: A scheduled task runs a script that uses the string “component-names” as part of a system cleanup or configuration update.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" OR process.name != "scheduling"
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An administrator uses PowerShell to configure system components, and the script includes the term “component-names” as part of a configuration parameter.
Filter/Exclusion: process.name != "powershell.exe" OR process.user != "admin_account"
Scenario: Software Update or Patching Process
Description: A legitimate software update process (e.g., from Microsoft or a third-party vendor) includes the term “component-names” in its log or script.
Filter/Exclusion: process.name != "msiexec.exe" OR process.name != "setup.exe" OR process.name != "patch.exe"
Scenario: Log Analysis Tool Parsing System Logs
Description: A log analysis tool (e.g., Splunk, ELK, or Graylog) processes system logs and includes the term “component-names” in its parsing rules.
Filter/Exclusion: process.name != "splunkd.exe" OR process.name != "logstash" OR process.name != "graylog-server"
Scenario: Development Environment with Custom Scripts
Description: A developer’s script (e.g., in Python or Node.js) uses the term “component-names” as part of a custom module or function name.
Filter/Exclusion: process.name != "python.exe" OR process.name != "node.exe" OR process.name != "npm" OR process.name != "yarn"