Full Detection Logic for LITERNAMAGER in Cortex XSIAM via Uncoder AI

[post-views]
June 04, 2025 · 2 min read
Full Detection Logic for LITERNAMAGER in Cortex XSIAM via Uncoder AI

How It Works

This Uncoder AI feature analyzes a complex CERT-UA#1170 threat report describing the LITERNAMAGER malware family and generates a Cortex XSIAM-compatible XQL rule. The AI extracts structured indicators and behaviors, then maps them to different Cortex datasets:

1. Process & Command Line Activity

The rule detects suspicious command-line execution of:

YOURClient.exe

YOURServer.exe

including switches like /server , /firewall , /run , /ns.

These are indicative of LITERNAMAGER’s deployment and control binaries.

Explore Uncoder AI

2. Registry-Based Persistence

Registry keys under:

HKLM\SYSTEM\LiteManager Pro – Server\Parameters\

are checked for values like:

  • callbacksettingsip
  • HideTrayIcon
  • NoEncryption
  • StartHidden

These values point to silent or covert execution configurations of the remote admin tool.

3. Network Telemetry

Matches are triggered for outbound connections to known C2 infrastructure (e.g., http://62.80.164.9/... , http://91.210.107.208/...) seen in the original CERT-UA#1170 report. IPs and URLs are pulled directly into the rule.

Why It’s Innovative

This use case highlights Uncoder AI’s ability to:

  • Combine diverse telemetry sources (process, registry, network)
  • Automatically extract behavior chains (e.g., persistence, launch methods)
  • Apply LLM-powered parsing to translate technical threat descriptions into production-ready XQL logic

Traditional IOC-based rules would only capture matches on domains or hashes. This feature goes deeper, building behavioral detections aligned to tactics, techniques, and configurations specific to the malware.

Operational Value / Benefits

  • High-Fidelity Detections: Alerts are based on behaviors unique to LITERNAMAGER, not just one-time IOCs.
  • Multi-Layer Coverage: Analysts gain detection logic across endpoint activity, registry changes, and external communication.

Threat-Informed Engineering: XQL logic reflects real-world malware deployment steps, useful for both detection and validation.

Explore Uncoder AI

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts