Rule to detect Moonlight Maze sniffer tools

Hunt Hypothesis

Adversaries may use Moonlight Maze sniffer tools to capture network traffic and exfiltrate sensitive data, indicating potential ongoing network compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage espionage activities that may evade traditional detection methods.

YARA Rule

rule apt_RU_MoonlightMaze_customsniffer {

meta:
	
	author = "Kaspersky Lab"
	date = "2017-03-15"
	version = "1.1"
	reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
	description = "Rule to detect Moonlight Maze sniffer tools"
	hash = "7b86f40e861705d59f5206c482e1f2a5"
	hash = "927426b558888ad680829bd34b0ad0e7"
	original_filename = "ora;tdn"
	
strings:


	//strings from ora ->
	$a1="/var/tmp/gogo" fullword
	$a2="myfilename= |%s|" fullword
	$a3="mypid,mygid=" fullword
	$a4="mypid=|%d| mygid=|%d|" fullword

	//strings from tdn ->
	$a5="/var/tmp/task" fullword
	$a6="mydevname= |%s|" fullword

condition:

	((any of ($a*)))

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://en.wikipedia.org/wiki/Moonlight_Maze
• Source Rule

False Positive Guidance

• Scenario: Legitimate network traffic analysis using Wireshark
  Description: A security analyst is using Wireshark to analyze network traffic for troubleshooting or compliance purposes.
  Filter/Exclusion: process.name != "wireshark" or process.name != "tshark"

• Scenario: Scheduled system diagnostics using Microsoft Network Monitor
  Description: A scheduled task runs Microsoft Network Monitor to capture and analyze network packets for performance tuning.
  Filter/Exclusion: process.name != "nmbase.exe" or process.name != "nm.exe"

• Scenario: Admin task using tcpdump for packet capture
  Description: A system administrator uses tcpdump to capture packets for forensic analysis or network troubleshooting.
  Filter/Exclusion: process.name != "tcpdump"

• Scenario: Automated log analysis using Splunk with packet capture
  Description: A Splunk job is configured to collect and analyze packet captures from a network tap for log correlation.
  Filter/Exclusion: process.name != "splunkd" or process.name != "splunkforwarder"

• Scenario: Security tool testing with a sniffer tool like tshark
  Description: A red team or security team is testing a sniffer tool (e.g., tshark) in a controlled environment to validate detection rules.
  Filter/Exclusion: process.name != "tshark" or process.name != "wireshark"