LemonDuck-control-structure

Hunt Hypothesis

LemonDuck-control-structure detects potential command and control communication associated with the LemonDuck malware, which is used to maintain persistent remote control over infected systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate LemonDuck botnet activity before it leads to data exfiltration or cryptocurrency mining.

KQL Query

DeviceNetworkEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine has_all("Exponent=","FromBase64String","$url+")

Analytic Rule Definition

id: 9378df8e-9298-4b9f-a50f-62c42b00d9c4
name: LemonDuck-control-structure
description: |
  LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics:
- Command and control
- Exfiltration
query: |
  DeviceNetworkEvents
  | where InitiatingProcessFileName =~ "powershell.exe"
  | where InitiatingProcessCommandLine has_all("Exponent=","FromBase64String","$url+")

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Command and control
Tactic: Exfiltration

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-control-structure.yaml)

False Positive Guidance

Scenario: Scheduled system maintenance or patching using Windows Task Scheduler
Filter/Exclusion: Check for CommandLine containing msiexec, wuauclt, or dism and filter out tasks with known maintenance scripts.
Scenario: Legitimate use of PowerShell for configuration management via Chef or Puppet
Filter/Exclusion: Exclude processes with CommandLine containing chef-client, puppet, or psconfig and filter by user account (e.g., LocalSystem or Administrators).
Scenario: Admin task involving Windows Event Log cleanup using LogParser
Filter/Exclusion: Filter out processes with CommandLine containing logparser and check for Image path matching C:\Windows\System32\LogParser.exe.
Scenario: Automated backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude processes with CommandLine containing veeam or backup and check for Image path matching C:\Program Files\Veeam\Backup\veeam.exe.
Scenario: Use of Windows Management Instrumentation (WMI) for remote system monitoring
Filter/Exclusion: Filter out processes with CommandLine containing wbemtest or wmic and check for User field matching known admin accounts.