Query Details

Rule : Detection of Suspicious MSI and DLL Activity Associated with Latrodectus Malware

Latrodectus File Creation

Query

DeviceFileEvents
| where FolderPath has_any ("aclui.dll", "Roaming\\capisp", "temp\\vpn.msi", "neuro.msi", "bst.msi","aes256.msi","neo.msi","bim.msi","WSC.msi") 
| where InitiatingProcessCommandLine has_any("msiexec", "rundll32")

About this query

Explanation

Summary of the Query

This query is designed to detect suspicious activities that might indicate the presence of Latrodectus malware on a system. Specifically, it looks for:

  1. Suspicious File Paths: The query monitors for the creation or modification of certain files and directories that are commonly associated with malicious activity. These include:

    • aclui.dll
    • Files in the Roaming\capisp directory
    • MSI files in the temp directory, such as vpn.msi, neuro.msi, bst.msi, aes256.msi, neo.msi, bim.msi, and WSC.msi
  2. Suspicious Processes: It also checks if these files are being accessed or manipulated by processes that are often used in malicious contexts, specifically:

    • msiexec (Microsoft Installer)
    • rundll32 (a utility that runs DLLs)

Purpose

The goal is to identify early signs of Latrodectus malware infection by detecting unusual file and process activities that are not typically associated with legitimate software installations or updates. This helps in catching the malware before it can execute its payloads or establish persistence on the system.

Tags and Context

  • Latrodectus Malware: A sophisticated malware family known for evading detection and delivering harmful payloads.
  • Suspicious MSI Activity: Monitoring MSI files that could be used maliciously.
  • DLL Hijacking: Detecting potential DLL hijacking attempts.
  • Process Execution: Observing the execution of potentially harmful processes.
  • MITRE ATT&CK T1059: Relates to the use of command and scripting interpreters for malicious purposes.
  • Persistence: Identifying methods used by malware to maintain a foothold on the system.
  • Suspicious Activity: General monitoring for activities that deviate from normal behavior.

KQL Search Query

The KQL (Kusto Query Language) query used for detection is:

DeviceFileEvents
| where FolderPath has_any ("aclui.dll", "Roaming\\capisp", "temp\\vpn.msi", "neuro.msi", "bst.msi","aes256.msi","neo.msi","bim.msi","WSC.msi") 
| where InitiatingProcessCommandLine has_any("msiexec", "rundll32")

This query filters DeviceFileEvents to find events where the FolderPath contains any of the specified suspicious files and the InitiatingProcessCommandLine includes either msiexec or rundll32.

Details

Ali Hussein profile picture

Ali Hussein

Released: August 6, 2024

Tables

DeviceFileEvents

Keywords

DevicesMalwareSuspiciousActivityProcessExecutionPersistence

Operators

has_anywhere|

MITRE Techniques

Actions

GitHub