LemonDuck malware may attempt to evade detection by excluding itself from Defender processes, indicating potential persistence and evasion tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate LemonDuck infections before they establish a persistent botnet or compromise sensitive systems.
KQL Query
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("Set-MpPreference", "DisableRealtimeMonitoring", "Add-MpPreference", "ExclusionProcess")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp
id: a67288b7-a5e2-4cb8-b792-604f7485bfb1
name: LemonDuck-defender-exclusions
description: |
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense evasion
query: |
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("Set-MpPreference", "DisableRealtimeMonitoring", "Add-MpPreference", "ExclusionProcess")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance using Task Scheduler
Description: A system administrator schedules a maintenance task using Windows Task Scheduler that executes a script or executable with a name similar to LemonDuck malware.
Filter/Exclusion: Exclude processes initiated by Task Scheduler with a Start Time within the last 7 days and associated with known administrative tasks (e.g., Cleanup, Disk Defragmentation, System Update).
Filter Example: process.parent_process_name == "schtasks.exe" && process.start_time > now-7d
Scenario: Antivirus or endpoint protection tool signature update
Description: A legitimate endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or CrowdStrike Falcon) performs a signature update that temporarily matches the hash or behavior of LemonDuck.
Filter/Exclusion: Exclude processes with process.name == "mpcmdrun.exe" or process.name == "falcon.exe" and check for process.parent_process_name == "explorer.exe" or process.parent_process_name == "svchost.exe".
Filter Example: process.name in ("mpcmdrun.exe", "falcon.exe")
Scenario: Automated backup or data synchronization job
Description: A backup tool (e.g., Veeam, Acronis, or Windows Backup) runs a script or executable that temporarily exhibits behavior similar to LemonDuck, such as file encryption or data exfiltration.
Filter/Exclusion: Exclude processes associated with backup tools (e.g., veeam.exe, acronis.exe, wbadmin.exe) and check for process.command_line containing terms like "backup", "restore", or "sync".
Filter Example: `process.name in (“veeam.exe”, “acronis.exe”, “wb