LemonDuck-id-generation | SOC Hunt Feed

Hunt Hypothesis

LemonDuck malware may generate unique identifiers to evade detection and maintain persistent communication within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate LemonDuck botnet activity before it leads to data exfiltration or cryptocurrency mining.

KQL Query

DeviceNetworkEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine endswith "(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))"

Analytic Rule Definition

id: fb314e1d-5fa0-4007-b6f3-d14d9a6c0117
name: LemonDuck-id-generation
description: |
  LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics:
- Lateral movement
- Command and control
query: |
  DeviceNetworkEvents
  | where InitiatingProcessFileName =~ "powershell.exe"
  | where InitiatingProcessCommandLine endswith "(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))"

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Lateral movement
Tactic: Command and control

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-id-generation.yaml)

False Positive Guidance

Scenario: Legitimate scheduled job for database ID generation using sqlcmd
Filter/Exclusion: process.parent_process_name != "sqlcmd" or process.command_line NOT LIKE '%-Q%'
Scenario: Admin task using PowerShell to generate unique identifiers for log entries
Filter/Exclusion: process.parent_process_name != "powershell.exe" or process.command_line NOT LIKE '*New-Guid*'
Scenario: System maintenance script using cmd.exe to generate temporary file names
Filter/Exclusion: process.parent_process_name != "cmd.exe" or process.command_line NOT LIKE '*mktemp*'
Scenario: Development environment using Python to generate unique IDs for testing
Filter/Exclusion: process.parent_process_name != "python.exe" or process.command_line NOT LIKE '*uuid.uuid4*'
Scenario: Backup script using rsync to generate unique backup identifiers
Filter/Exclusion: process.parent_process_name != "rsync" or process.command_line NOT LIKE '*--suffix*'