How to Protect from Emotet, LemonDuck and PowerMiner using McAfee ATP


This blog explains how the rules of McAfee Adaptive Threat Protection (ATP) are used in McAfee Endpoint Security products. This helps you understand how ATP rules work and how they can be used to prevent infection from common malware families such as Emotet, LemonDuck and PowerMiner. Read the Recommendations section for effective enforcement in your area.

ATP rules are a type of vulnerability reduction technology that detects suspicious use of operating system and application functions. These rules focus on the often abusive behavior of malware authors. Legitimate applications can sometimes use the same behavior, so it is necessary to configure rules based on the environment.

The ATP rules in McAfee Endpoint Security (ENS) 10.5.3 and above have already detected more than a million pieces of malware since early 2020. This blog shows you how to enable ATP rules and explains why they should be enabled by highlighting some of the malware we detect with these rules. We will also show you how to maximize detection capabilities by configuring specific parameters.

Let’s start with the big picture. We publish ATP rules in three ways: Spleen, Defaulton and Hyon.

In the McAfee field, valuation rules are examined to determine whether they are sufficiently reliable to detect malicious activity and not generate false positives. Once McAfee researchers have been in evaluation mode for a period of time, they analyze performance and adjust or upgrade to DefaultOn or HighOn. ATP clients of the ENS connected to McAfee ePolicy Orchestrator (ePO) can manually change the scoring rules in enabled mode.

DefaultOn rules are created when McAfee is convinced that there are no legitimate requests. These rules are then included by default in all McAfee Endpoint Security rulesets.

HighOn rules define behaviour which is known to be malicious, but which may to some extent overlap with malicious applications. These rules are defined in the monitoring mode for systems in the group of the equilibrium rule, but operate in the standard mode for systems in the group of the safety rule. Later in this blog we will see how the rule defined in the endpoint security products can be modified to enable HighOn rules.

How can ATP rules be inserted in ENS 10.5.3 and above?

By default, many ATP rules are defined in monitoring mode. To enable these lines in active block mode, log in to the ePO console and go to Menu->Configuration->Server Settings.

Figure 1. Rules in the Balanced Rules group.

Select adaptive threat protection and choose the desired control group (performance, balance or security).

As you can see in Figure 1, rule 329 is in the balanced rule set in observation mode, and in Figure 2 below you can see that it is enabled by default in the security rule set.

Pay attention: As mentioned above, we check the rules from time to time and make changes so that you can have different settings in your environment depending on the version of the content.

Figure 2. Group rules Safety rules.

To activate a rule, click Edit under Rules and select the rule you want to change, then select the desired status – Disabled, Enabled, or Monitor. Figure 3 shows how the status of Rule 256 can be changed to facilitate the detection of remote bootloaders and bundles.

Figure 3. Change the state of the rules.

Click on the Save button and the line should be activated within minutes at the customers. Here you can see that line 256 blocks the malicious file JTI/Suspect.131328 by default.

Figure 4. Evaluate the control lock after switching on.

Change the assigned rule group to use HighOn rules in ENS 10.5.3 and above.

In this section we will see how to change the rule group to safe, which by default will activate all HighOn rules in block mode. We recommend that you check the logs to make sure that HighOn rules detect clean activity in your area before proceeding to this group of rules.

To change the group of rules, log in to the ePO console and go to Menu->Systems->System Tree.

Figure 5. Select the system group to change the SLA policy.

Select the group and click on the Assigned Policies tab. Select Endpoint Security Adaptive Threat Protection from the product drop-down list.

Figure 6. Select the guidelines to change the assigned ruleset.

In the Options category, click on the My Defects Policy.

Figure 7. Change the group of rules for security.

Scroll down to assign rules. From the Regulatory Mapping drop-down list, select Security and click Save. This will add all customers with a My Default policy to the security rules group.

Activation of HighOn rules at the MVISION endpoint

To enable HighOn rules, the MVISION endpoint policy must be set to High Protection if it is not already defined by default. Follow these steps:

Log in to the ePO console and go to Menu->System Boom.

Figure 8. Select the system group to change the MVISION endpoint policy

Select the group and click on the Assigned Policies tab. Select the MVISION endpoint from the product drop-down list.

Figure 9. Select Policies to change the protection mode.

Click the Edit Task button under a shared category.

Figure 10. To change the focus of MVISION to a high level of protection.

Replace Inherit from by End Inheritance and assign the guidelines and settings below. Also change the policy assigned to High Protection in the drop-down list and click Save. This includes all HighOn rules.

ATF Wildlife Rules

This section identifies three common threats detected by the ATP rules. We emphasize one rule for each DefaultOn/HighOn/Evaluate to demonstrate the importance of monitoring control updates and allow more aggressive rules if they are appropriate for your environment.

PowerMiner (standard example)

PowerMiner is a crypto-money malware that has been spreading since 2019. We already talked about this malware in the previous blog about AMSI detection. The purpose of PowerMiner is to contaminate as many mono-mint extractors as possible. The initial infection vector is a phishing email with a batch file. Once this batch file has been executed, a malignant PowerShell script is executed which then starts the infection process.

ATP DefaultOn Rule 263 detects access to suspicious URLs and Rule 262 detects the execution of suspicious security rule group assignment commands and blocks this threat when PowerShell is executed by Dropper.bat and attempts to download a malicious PS1 file.

This is indicated with a red cross in the diagram above. As mentioned in the AMSI blog, this threat is also covered by our AMSI signatures, but as with many threats, we have different forms of detection in case malware authors change their code to try to bypass one of them.

The IP card below shows the detection of this threat between October 2019 and January 2020 according to the ATP rules mentioned above.

Production of lemons (high-quality example)

LemonDuck is, just like PowerMiner, a malware that searches for coins. It is broadcast in various ways, such as Eternal Blue and Mimicaz. Once the machine is infected, LemonDuck will load a number of scheduled tasks different components with coin winning features. The following diagram shows the course of the lemon duck infection:

ATP HighOn rule 329 Identifies and blocks suspicious use of scheduled tasks in high-level systems LemonDuck blocks while creating the scheduled task. Like PowerMiner, McAfee has an AMSI signature that recognizes this threat as LemonDuck!

The IP map below shows the detection of this threat between October 2019 and January 2020 based on the above mentioned ATP rule.

Emotettet-Downloader (evaluation example)

Emotet is a Trojan horse responsible for downloading and running several highly professional malware programs, including Trickbot, which in turn is known for downloading and running Ryuk’s ransom demands. The Emotet is usually downloaded and executed on the victim’s computer by means of malicious documents sent by e-mail. The malicious document uses PowerShell to download and execute the executable emotet file. The current is shown below:

McAfee ATP rule 256 Detect the use of the PowerShell long encoded cmdlet and rule 264 Checking EncodedCommand Powershell detects this behavior when enabled. This function is not enabled by default, as this behavior may be legitimate. We therefore recommend that you check the detection in the evaluation mode and, if no false positive results appear, activate it. This rule also blocks other malware that performs the same actions as Trickbot. The IP map below shows the discoveries that took place between October 2019 and January 2020 under Rule 256. This includes all threats detected by this rule, not just the Emotet.


You’re probably already wondering which rules to record. First, it should be noted that activating ATP rules does not affect performance, but as mentioned in the first paragraph, they can sometimes lead to false positive results.

From the ATP rules collection, we recommend that you enable the monitoring mode rules mentioned in this blog.

In addition to the rules mentioned for each threat, the following rules can be activated from the EPO console as described. As mentioned above, McAfee researchers are constantly evaluating these rules so that they can be moved to another set of rules or merged with other existing rules.

  • Article 238 – Detection of irregularities in common procedures occurring in non-standard locations
  • Protection against files from suspicious locations often used by attackers.
  • Article 309 – Blocking procedures which attempt to be carried out on the basis of applications from the Agency
    • Office documents are the main vectors used to spread malware. This rule prevents abuse of Office applications to deliver malicious loads.
  • Section 312 – Prohibit email applications such as Outlook to generate script editors and dual-use tools.
    • Spam is a common initial attack vector used by malware writers. This rule is used to detect suspicious use of mail programs and prevent unusual processes from taking place.
  • Article 323 – Do not allow the Moht to be initiated as a childish process.
    • It’s connected to MITRE T1170. Mshta.exe is a tool to run Microsoft HTML (HTA) applications. Attackers can use mshta.exe to execute malicious .hta and JavaScript or VBScript files. This rule will help to detect cases of malicious use. You can learn more about usta here.

In general, we advise you to analyze your ATP logs to see if the rules of the monitoring mode trigger detections. If you have found rules that do not recognize legitimate usage, we recommend that you put them in enabled mode.

We recommend using the EPO groups for a small number of machines and then following the changed environment to detect false positives. If there are no false alarms, you can place the changes in a larger group.

Article KB82925 shows all available ATP rules. You can also refer to the release notes for ATP rules that are updated when new rules are created or existing rules are changed.


We hope this blog has helped to emphasize how ATP rules protect your environment from various threats. By combining this technology with other technologies, such as AMSI, we have improved protection.

This blog continues a series of demonstrations of our technology, so we recommend that you read the following

Protect McAfee from suspicious email investments

McAfee’s AMSI integration protects against malicious scripts

Use of expertise rules in the ENS to prevent malicious abuse

What is Msta, how do you use it and how do you protect yourself against it?

All tests were performed with version 1134 of the ITC content and version of the MVISION terminal (in high security mode).

x3Cimg height=1 width=1 style=display:no src= />x3C/noscript>’) ;mcafee bitpaymer,malware blogs,mc afee blog,vega ransomware,buran ransomware analysis