The detection identifies potential Lumma Stealer activity through known IOCs associated with this ransomware family, indicating possible data exfiltration and lateral movement. SOC teams should proactively hunt for this behavior to detect and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 7 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | claimsj.cyou | botnet_cc | 2026-06-12 | 100% |
| domain | passedt.cyou | botnet_cc | 2026-06-12 | 100% |
| domain | cohesrc.cyou | botnet_cc | 2026-06-12 | 100% |
| domain | montgqd.cyou | botnet_cc | 2026-06-12 | 100% |
| domain | familbi.cyou | botnet_cc | 2026-06-12 | 100% |
| domain | feathqz.cyou | botnet_cc | 2026-06-12 | 100% |
| domain | pitchgb.cyou | botnet_cc | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["claimsj.cyou", "passedt.cyou", "cohesrc.cyou", "montgqd.cyou", "familbi.cyou", "feathqz.cyou", "pitchgb.cyou"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Monitoring
Description: A scheduled task runs a script that uses psutil (a Python library for system monitoring) to check running processes. This may trigger the rule due to process enumeration behavior similar to malware.
Filter/Exclusion: Exclude processes that match psutil or python if the script is known to be part of the enterprise’s system monitoring tools.
Scenario: Admin Task Using Process Explorer
Description: An administrator uses Process Explorer (a legitimate Microsoft tool) to investigate high memory usage on a server. The tool may trigger the rule due to process enumeration or memory analysis.
Filter/Exclusion: Exclude processes with the full path C:\Windows\System32\procexp.exe or any process associated with the Process Explorer tool.
Scenario: Legitimate Log Analysis Tool Using PowerShell
Description: A log analysis tool like Splunk or ELK Stack runs a PowerShell script to parse and analyze system logs, which may include process enumeration or memory checks.
Filter/Exclusion: Exclude PowerShell scripts that are known to be part of the enterprise’s log analysis infrastructure (e.g., C:\Program Files\Splunk\bin\ or C:\elastic\).
Scenario: Software Update or Patching Tool
Description: A patching tool like Microsoft Update or SCCM runs a script that checks for running processes or system state, which may resemble malicious behavior.
Filter/Exclusion: Exclude processes associated with the patching tool (e.g., C:\Windows\System32\wusa.exe, C:\Windows\System32\msiexec.exe, or SCCM-related paths).
Scenario: Database Backup Job with Memory Usage Analysis
Description: A database backup job uses a tool like dbatools or `