LemonDuck-registration-function

Hunt Hypothesis

LemonDuck malware may be registering itself with a command-and-control server to establish persistent communication and receive instructions. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate LemonDuck botnet activity before it leads to data exfiltration or cryptocurrency mining operations.

KQL Query

DeviceEvents
| where ActionType == "PowerShellCommand"
| where AdditionalFields =~ "{\"Command\":\"SIEX\"}"

Analytic Rule Definition

id: 9e963c83-c569-4c9e-a729-d8f7ca05464d
name: LemonDuck-registration-function
description: |
  LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
tactics:
- Execution
- Persistence
- Lateral movement
- Command and control
query: |
  DeviceEvents
  | where ActionType == "PowerShellCommand"
  | where AdditionalFields =~ "{\"Command\":\"SIEX\"}"

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Persistence
Tactic: Lateral movement
Tactic: Command and control

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-registration-function.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup or update job, may trigger the rule due to similar process behavior.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance job names (e.g., Cleanup-System-Update, DiskDefrag).
Scenario: Admin Performing Registry Key Modification
Description: An administrator modifying registry keys using reg.exe or regedit.exe to configure system settings may be flagged due to similar file or registry activity.
Filter/Exclusion: Exclude processes with reg.exe or regedit.exe that modify known legitimate registry paths (e.g., HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
Scenario: PowerShell Script for User Account Management
Description: A PowerShell script run by an admin to create or modify user accounts using powershell.exe may be flagged due to similar script execution patterns.
Filter/Exclusion: Exclude processes with powershell.exe that execute scripts from known admin tools or user account management scripts (e.g., Create-UserAccount.ps1).
Scenario: Antivirus or Endpoint Protection Scan
Description: A scheduled scan by an antivirus tool such as Windows Defender or Malwarebytes may trigger the rule due to similar process execution or file access patterns.
Filter/Exclusion: Exclude processes with MsMpEng.exe (Windows Defender) or mbam.exe (Malwarebytes) running during scheduled scans.
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job running a backup using sqlservr.exe or sqlagent.exe may be flagged due to similar process behavior or file access.