Rule : Detection of Suspicious MSI and DLL Activity Associated with Latrodectus Malware
Latrodectus File Creation
Query
DeviceFileEvents
| where FolderPath has_any ("aclui.dll", "Roaming\\capisp", "temp\\vpn.msi", "neuro.msi", "bst.msi","aes256.msi","neo.msi","bim.msi","WSC.msi")
| where InitiatingProcessCommandLine has_any("msiexec", "rundll32")About this query
Explanation
Summary of the Query
This query is designed to detect suspicious activities that might indicate the presence of Latrodectus malware on a system. Specifically, it looks for:
-
Suspicious File Paths: The query monitors for the creation or modification of certain files and directories that are commonly associated with malicious activity. These include:
aclui.dll- Files in the
Roaming\capispdirectory - MSI files in the
tempdirectory, such asvpn.msi,neuro.msi,bst.msi,aes256.msi,neo.msi,bim.msi, andWSC.msi
-
Suspicious Processes: It also checks if these files are being accessed or manipulated by processes that are often used in malicious contexts, specifically:
msiexec(Microsoft Installer)rundll32(a utility that runs DLLs)
Purpose
The goal is to identify early signs of Latrodectus malware infection by detecting unusual file and process activities that are not typically associated with legitimate software installations or updates. This helps in catching the malware before it can execute its payloads or establish persistence on the system.
Tags and Context
- Latrodectus Malware: A sophisticated malware family known for evading detection and delivering harmful payloads.
- Suspicious MSI Activity: Monitoring MSI files that could be used maliciously.
- DLL Hijacking: Detecting potential DLL hijacking attempts.
- Process Execution: Observing the execution of potentially harmful processes.
- MITRE ATT&CK T1059: Relates to the use of command and scripting interpreters for malicious purposes.
- Persistence: Identifying methods used by malware to maintain a foothold on the system.
- Suspicious Activity: General monitoring for activities that deviate from normal behavior.
KQL Search Query
The KQL (Kusto Query Language) query used for detection is:
DeviceFileEvents
| where FolderPath has_any ("aclui.dll", "Roaming\\capisp", "temp\\vpn.msi", "neuro.msi", "bst.msi","aes256.msi","neo.msi","bim.msi","WSC.msi")
| where InitiatingProcessCommandLine has_any("msiexec", "rundll32")
This query filters DeviceFileEvents to find events where the FolderPath contains any of the specified suspicious files and the InitiatingProcessCommandLine includes either msiexec or rundll32.
