Adversaries may use custom attacker-authored strings in Moonlight Maze Loki samples to evade standard detection mechanisms. SOC teams should proactively hunt for these strings in Azure Sentinel to identify potential compromise from advanced persistent threats.
YARA Rule
rule apt_RU_MoonlightMaze_customlokitools {
meta:
author = "Kaspersky Lab"
date = "2017-03-15"
version = "1.1"
last_modified = "2017-03-22"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings"
hash = "14cce7e641d308c3a177a8abb5457019"
hash = "a3164d2bbc45fb1eef5fde7eb8b245ea"
hash = "dabee9a7ea0ddaf900ef1e3e166ffe8a"
hash = "1980958afffb6a9d5a6c73fc1e2795c2"
hash = "e59f92aadb6505f29a9f368ab803082e"
strings:
$a1="Write file Ok..." ascii wide
$a2="ERROR: Can not open socket...." ascii wide
$a3="Error in parametrs:" ascii wide
$a4="Usage: @<get/put> <IP> <PORT> <file>" ascii wide
$a5="ERROR: Not connect..." ascii wide
$a6="Connect successful...." ascii wide
$a7="clnt <%d> rqstd n ll kll" ascii wide
$a8="clnt <%d> rqstd swap" ascii wide
$a9="cld nt sgnl prcs grp" ascii wide
$a10="cld nt sgnl prnt" ascii wide
//keeping only ascii version of string ->
$a11="ork error" ascii fullword
condition:
((any of ($a*)))
}This YARA rule can be deployed in the following contexts:
This rule contains 11 string patterns in its detection logic.
Scenario: Legitimate scheduled system maintenance task
Description: A system maintenance script or task (e.g., schtasks.exe) is executed using a string that matches the attacker-authored string in the detection rule.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command line, e.g., schtasks /run /TN "System Maintenance".
Scenario: Admin tool for log analysis
Description: A security analyst uses a tool like logparser.exe to analyze event logs, and the command line includes a string that matches the detection rule.
Filter/Exclusion: Exclude processes with logparser.exe and command lines containing valid log query syntax, e.g., logparser "SELECT * INTO C:\Logs\output.log FROM EventLog WHERE Source='Microsoft-Windows-Security-Auditing'".
Scenario: Custom script for endpoint monitoring
Description: A custom PowerShell script (e.g., powershell.exe -Command) is used by the SOC team to monitor endpoint activity and includes a string that matches the detection rule.
Filter/Exclusion: Exclude processes with powershell.exe and command lines containing known monitoring scripts, e.g., Get-EventLog -LogName Security.
Scenario: Legitimate software update process
Description: A legitimate software update tool (e.g., msiexec.exe) is used to deploy patches, and the command line includes a string that matches the detection rule.
Filter/Exclusion: Exclude processes with msiexec.exe and command lines containing valid package identifiers, e.g., msiexec /i "C:\Updates\patch.msi".
Scenario: Automated backup job execution
Description: An automated backup job (e.g., wbadmin.exe) is executed