Detecting Lumma Stealer Commands
Query
DeviceFileEvents
| extend CommandWords = split(InitiatingProcessCommandLine, " ") // Split the command into words
| extend Word1 = CommandWords[0], // First word
Word2 = CommandWords[1], // Second word
Word3 = CommandWords[2], // Third word
Word4 = CommandWords[3], // Fourth word
Word5 = CommandWords[4]
| extend LongestWord = case(
strlen(Word1) >= strlen(Word2) and strlen(Word1) >= strlen(Word3) and strlen(Word1) >= strlen(Word4) and strlen(Word1) >= strlen(Word5), Word1,
strlen(Word2) >= strlen(Word1) and strlen(Word2) >= strlen(Word3) and strlen(Word2) >= strlen(Word4) and strlen(Word2) >= strlen(Word5), Word2,
strlen(Word3) >= strlen(Word1) and strlen(Word3) >= strlen(Word2) and strlen(Word3) >= strlen(Word4) and strlen(Word3) >= strlen(Word5), Word3,
strlen(Word4) >= strlen(Word1) and strlen(Word4) >= strlen(Word2) and strlen(Word4) >= strlen(Word3) and strlen(Word4) >= strlen(Word5), Word4,
Word5 // Default case if Column5 is the longest
)
| extend tostring(LongestWord)
| extend DecodedBytes = base64_decode_tostring(LongestWord)
| extend DecodedString = tostring(DecodedBytes)
| where DecodedString contains "mshta" or InitiatingProcessCommandLine contains "mshta"
| distinct DeviceName,InitiatingProcessCommandLine,LongestWord,DecodedStringAbout this query
Detecting Lumma Stealer commands
One of the techniques used to distribute the Lumma Stealer malware is via command lines using the native Windows application mshta which is an HTML tool for executing scripts. This KQL Query helps to identify commands that use the aforementioned application and also those that use the application and also those that use powershell and encode the malicious code in base64.
Explanation
This KQL query is designed to detect potential Lumma Stealer malware activity by examining command lines executed on devices. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by looking at
DeviceFileEvents, which contains information about file-related activities on devices. -
Command Line Analysis:
- It splits the command line used to initiate a process into individual words.
- It identifies the first five words from the command line for further analysis.
-
Longest Word Identification:
- Among the first five words, it determines which word is the longest.
-
Base64 Decoding:
- It attempts to decode the longest word as a Base64 string, converting it into readable text.
-
Malware Detection:
- It checks if the decoded string or the original command line contains the term "mshta", which is a Windows tool often used to execute scripts and can be exploited by malware like Lumma Stealer.
-
Result Filtering:
- It filters the results to show only distinct entries, displaying the device name, the original command line, the longest word, and the decoded string.
In summary, this query helps identify suspicious command lines that might be associated with the Lumma Stealer malware, specifically looking for the use of "mshta" and potentially encoded malicious scripts.
Details

Sergio Albea
Released: January 14, 2025
Tables
Keywords
Operators