The hypothesis is that the detection of Moonlight Maze ‘de’ and ‘deg’ tunnel tools indicates potential adversary use of covert communication channels to exfiltrate data or maintain persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activity early, especially given the low severity rating which may mask the true risk of such sophisticated malware.
YARA Rule
rule apt_RU_MoonlightMaze_de_tool {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool"
hash = "4bc7ed168fb78f0dc688ee2be20c9703"
hash = "8b56e8552a74133da4bc5939b5f74243"
strings:
$a1="Vnuk: %d" ascii fullword
$a2="Syn: %d" ascii fullword
//%s\r%s\r%s\r%s\r ->
$a3={25 73 0A 25 73 0A 25 73 0A 25 73 0A}
condition:
((2 of ($a*)))
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate use of deg in a backup script
Description: A system administrator uses a custom script that calls deg as part of a data encryption process for backups.
Filter/Exclusion: Exclude processes where the command is executed from a known backup directory (e.g., /opt/backup/scripts/) and by a user with administrative privileges (e.g., backup_user).
Scenario: Scheduled job using de for data compression
Description: A scheduled job runs a script that uses de (a decompression tool) to extract logs or configuration files.
Filter/Exclusion: Exclude processes initiated by the cron daemon and where the command path includes /usr/bin/de or similar standard decompression utilities.
Scenario: Admin task using deg for network diagnostics
Description: A network administrator uses deg as part of a diagnostic tool to analyze network traffic or test tunneling capabilities during a security audit.
Filter/Exclusion: Exclude processes initiated by the root user and where the command is executed from a security audit tool directory (e.g., /opt/audit_tools/).
Scenario: Use of de in a legitimate encryption tool
Description: A security team uses a third-party encryption tool that includes a command named de for decrypting files.
Filter/Exclusion: Exclude processes where the command is part of a known encryption tool (e.g., /usr/local/bin/secure_decrypt) and executed by a user with the security_admin role.
Scenario: System update using deg for package management
Description: A package manager or update tool uses deg as part of its internal logic to manage package dependencies or decompress files during an update.
Filter/Exclusion: Exclude processes where