Rule to detect Moonlight Maze encrypted keylogger logs

Hunt Hypothesis

The rule detects potential Moonlight Maze adversary activity by identifying encrypted keylogger logs, which may indicate data exfiltration or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of advanced persistent threats and mitigate data compromise risks.

YARA Rule

rule apt_RU_MoonlightMaze_encrypted_keylog {

meta:
	
	author = "Kaspersky Lab"
	date = "2017-03-27"
	version = "1.0"
	last_modified = "2017-03-27"
	reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
	description = "Rule to detect Moonlight Maze encrypted keylogger logs"

strings:

	$a1={47 01 22 2A 6D 3E 39 2C}

condition:

	($a1 at 0)

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://en.wikipedia.org/wiki/Moonlight_Maze
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using chntpw
  Description: A system administrator uses the chntpw tool to reset a user password on a Windows system, which may generate similar log entries to the keylogger.
  Filter/Exclusion: Exclude processes where the command line includes chntpw or the parent process is a known administrative tool like taskmgr.exe or cmd.exe used for password reset.

• Scenario: Scheduled Job for Log Rotation Using logrotate
  Description: A scheduled job runs logrotate to manage log files, which may temporarily create or modify log files that resemble keylogger activity.
  Filter/Exclusion: Exclude events where the process is logrotate or the file path matches known log directories like /var/log/ or /var/log/syslog.

• Scenario: Encrypted Volume Mount Using mount or cryptsetup
  Description: An admin mounts an encrypted volume using cryptsetup or mount, which may generate log entries that look like keylogger activity due to encryption-related messages.
  Filter/Exclusion: Exclude processes where the command line includes cryptsetup, mount, or the file path contains .enc or .vault extensions.

• Scenario: Security Software Scan Using ClamAV or Malwarebytes
  Description: A security tool like ClamAV or Malwarebytes performs a scan and generates log entries that may resemble keylogger activity due to the nature of malware detection.
  Filter/Exclusion: Exclude processes where the parent process is clamscan, mbam.exe, or any known antivirus/endpoint protection tool.

• Scenario: User-Initiated File Encryption Using gpg or openssl
  Description: A user encrypts sensitive data using