Source: socprime.com – Author: Steven Edwards
How It Works
This Uncoder AI feature analyzes a complex CERT-UA#1170 threat report describing the LITERNAMAGER malware family and generates a Cortex XSIAM-compatible XQL rule. The AI extracts structured indicators and behaviors, then maps them to different Cortex datasets:
1. Process & Command Line Activity
The rule detects suspicious command-line execution of:
YOURClient.exe
YOURServer.exe
including switches like /server
, /firewall
, /run
, /ns
.
These are indicative of LITERNAMAGER’s deployment and control binaries.
2. Registry-Based Persistence
Registry keys under:
HKLMSYSTEMLiteManager
Pro – ServerParameters
are checked for values like:
callbacksettingsip
HideTrayIcon
NoEncryption
StartHidden
These values point to silent or covert execution configurations of the remote admin tool.
3. Network Telemetry
Matches are triggered for outbound connections to known C2 infrastructure (e.g., http://62.80.164.9/...
, http://91.210.107.208/...
) seen in the original CERT-UA#1170 report. IPs and URLs are pulled directly into the rule.
Why It’s Innovative
This use case highlights Uncoder AI’s ability to:
- Combine diverse telemetry sources (process, registry, network)
- Automatically extract behavior chains (e.g., persistence, launch methods)
- Apply LLM-powered parsing to translate technical threat descriptions into production-ready XQL logic
Traditional IOC-based rules would only capture matches on domains or hashes. This feature goes deeper, building behavioral detections aligned to tactics, techniques, and configurations specific to the malware.
Operational Value / Benefits
- High-Fidelity Detections: Alerts are based on behaviors unique to LITERNAMAGER, not just one-time IOCs.
- Multi-Layer Coverage: Analysts gain detection logic across endpoint activity, registry changes, and external communication.
Threat-Informed Engineering: XQL logic reflects real-world malware deployment steps, useful for both detection and validation.
Original Post URL: https://socprime.com/blog/full-detection-logic-for-liternamager-in-cortex-xsiam-via-uncoder-ai/
Category & Tags: Blog,SOC Prime Platform,Cortex XSIAM,Uncoder AI,XQL detection – Blog,SOC Prime Platform,Cortex XSIAM,Uncoder AI,XQL detection
Views: 2