Query Details

Detect lumma stealer using TeslaBrowser user agent

Lumma Stealer Using Tesla Browser Useragent

Query

DeviceNetworkEvents
| where ActionType == "HttpConnectionInspected"
| extend json = todynamic(AdditionalFields)
| extend direction = tostring(json.direction), method = tostring(json.method), user_agent = tostring(json.user_agent)
 | where direction == "Out"
 | where method == "GET"
 | where user_agent contains @"TeslaBrowser"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl
| sort by Timestamp desc

About this query

Detect lumma stealer using TeslaBrowser user agent

Description

Recently seen in the wild rising further, Lumma stealer has been observed to perform HTTP GET method, while using “TeslaBrowser/5.5” user agent.

References

Microsoft 365 Defender & Microsoft Sentinel

Versioning

VersionDateComments
1.026/09/2023Initial publish

Explanation

The query is looking for instances of the Lumma stealer malware that uses the "TeslaBrowser/5.5" user agent. It filters for HTTP GET requests and checks if the user agent contains "TeslaBrowser". The query retrieves the timestamp, device name, remote IP, remote port, and remote URL for these events, sorting them by timestamp in descending order.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: September 26, 2023

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsActionTypeHttpConnectionInspectedAdditionalFieldsdirectionmethoduser_agentOutGETTeslaBrowserTimestampDeviceNameRemoteIPRemotePortRemoteUrl

Operators

whereextendtostringcontainsprojectsort by

Actions

GitHub