The hypothesis is that the detection of the Moonlight Maze ‘cle’ log cleaning tool indicates an adversary is attempting to erase forensic evidence from system logs to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence or data exfiltration activities.
YARA Rule
rule apt_RU_MoonlightMaze_cle_tool {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect Moonlight Maze 'cle' log cleaning tool"
hash = "647d7b711f7b4434145ea30d0ef207b0"
strings:
$a1="./a filename template_file" ascii wide
$a2="May be %s is empty?" ascii wide
$a3="template string = |%s|" ascii wide
$a4="No blocks !!!"
$a5="No data in this block !!!!!!" ascii wide
$a6="No good line"
condition:
((3 of ($a*)))
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled Log Rotation Job
Description: A legitimate scheduled job (e.g., logrotate) is running and cleaning up old log files, which may trigger the rule due to similar file operations.
Filter/Exclusion: Check for the presence of logrotate or logrotate.conf in the process name or command line. Exclude processes where /etc/logrotate.d/ is in the path.
Scenario: System Log Cleanup by Admin
Description: An administrator manually runs a script or tool (e.g., logclean, logrotate, or find) to clean up old system logs.
Filter/Exclusion: Filter out processes initiated by admin users (e.g., root, sysadmin) or check for the presence of known admin tools in the command line.
Scenario: Log File Compression by Archive Tool
Description: A tool like gzip or tar is compressing log files as part of a regular maintenance task, which may resemble log cleaning behavior.
Filter/Exclusion: Exclude processes involving compression utilities (gzip, tar, bzip2) or check for file extensions like .gz, .tar.gz, or .bz2.
Scenario: Log File Archiving via Backup Tool
Description: A backup tool (e.g., rsync, tar, or backuppc) is archiving log files to a remote server, which could be mistaken for log cleaning.
Filter/Exclusion: Filter out processes that include backup-related paths (e.g., /backup/, /var/backups/) or check for known backup tools in the command line.
Scenario: Log File Purge via Cron Job
Description: A cron job is configured to purge old log files (e.g., using find or rm)