Full Detection Logic for LITERNAMAGER in Cortex XSIAM via Uncoder AI

How It Works

This Uncoder AI feature analyzes a complex CERT-UA#1170 threat report describing the LITERNAMAGER malware family and generates a Cortex XSIAM-compatible XQL rule. The AI extracts structured indicators and behaviors, then maps them to different Cortex datasets:

1. Process & Command Line Activity

The rule detects suspicious command-line execution of:

YOURClient.exe

YOURServer.exe

including switches like /server , /firewall , /run , /ns.

These are indicative of LITERNAMAGER’s deployment and control binaries.

Explore Uncoder AI

2. Registry-Based Persistence

Registry keys under:

HKLMSYSTEMLiteManager Pro – ServerParameters

are checked for values like:

callbacksettingsip
HideTrayIcon
NoEncryption
StartHidden

These values point to silent or covert execution configurations of the remote admin tool.

3. Network Telemetry

Matches are triggered for outbound connections to known C2 infrastructure (e.g., http://62.80.164.9/... , http://91.210.107.208/...) seen in the original CERT-UA#1170 report. IPs and URLs are pulled directly into the rule.

Why It’s Innovative

This use case highlights Uncoder AI’s ability to:

Combine diverse telemetry sources (process, registry, network)
Automatically extract behavior chains (e.g., persistence, launch methods)
Apply LLM-powered parsing to translate technical threat descriptions into production-ready XQL logic

Traditional IOC-based rules would only capture matches on domains or hashes. This feature goes deeper, building behavioral detections aligned to tactics, techniques, and configurations specific to the malware.

Operational Value / Benefits

High-Fidelity Detections: Alerts are based on behaviors unique to LITERNAMAGER, not just one-time IOCs.
Multi-Layer Coverage: Analysts gain detection logic across endpoint activity, registry changes, and external communication.

Threat-Informed Engineering: XQL logic reflects real-world malware deployment steps, useful for both detection and validation.

Explore Uncoder AI

The post Full Detection Logic for LITERNAMAGER in Cortex XSIAM via Uncoder AI appeared first on SOC Prime.

How It Works

1. Process & Command Line Activity

2. Registry-Based Persistence

3. Network Telemetry

Why It’s Innovative

Operational Value / Benefits

Related Posts

UAC-0149 Attack Detection: Hackers Launch a Targeted Attack Against the Armed Forces of Ukraine, as CERT-UA Reports

On the Frontline of the Global Cyber War: Overview of Major russia-backed APT Groups Targeting Ukraine and Sigma Rules to Proactively Defend Against Their TTPs

Play Ransomware Detection: Ongoing Ransomware Attacks Against Businesses and Critical Infrastructure in the U.S., South America, and Europe

HATVIBE and CHERRYSPY Malware Detection: Cyber-Espionage Campaign Conducted by TAG-110 aka UAC-0063 Targeting Organizations in Asia and Europe