Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Irix exploit activity associated with Moonlight Maze hackers, leveraging David Hedley’s methods to compromise systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activity that may evade traditional detection mechanisms.

YARA Rule

rule apt_RU_MoonlightMaze_IRIX_exploit_GEN {

meta:
	
	author = "Kaspersky Lab"
	date = "2017-03-27"
	version = "1.0"
	last_modified = "2017-03-27"
	reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
	description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers"
	reference2 = "https://www.exploit-db.com/exploits/19274/"
	hash = "008ea82f31f585622353bd47fa1d84be" //df3
	hash = "a26bad2b79075f454c83203fa00ed50c" //log
	hash = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole
	hash = "5937db3896cdd8b0beb3df44e509e136" //xlock
	hash = "f4ed5170dcea7e5ba62537d84392b280" //xterm

strings:

	$a1="stack = 0x%x, targ_addr = 0x%x"
	$a2="execl failed"

condition:

	(uint32(0)==0x464c457f) and (all of them)

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://en.wikipedia.org/wiki/Moonlight_Maze
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task runs a script that uses dtrace or dbx to monitor system performance, which may trigger the rule due to similar command-line patterns.
  Filter/Exclusion: Exclude processes associated with known maintenance scripts (e.g., /usr/sbin/cron or /usr/bin/scheduler), or filter by process.name containing maintenance or systemd.

• Scenario: Admin Debugging Session
  Description: A system administrator uses dbx to debug a core dump of a service, which may resemble the behavior of the Moonlight Maze exploit.
  Filter/Exclusion: Exclude processes where process.user is a known admin account (e.g., root, admin, or sysadmin), or filter by process.name containing dbx and debug.

• Scenario: Irix-based Legacy Application Execution
  Description: A legacy Irix application (e.g., irix-4.0.5) is being executed on a test system, which may trigger the rule due to similar system calls or command patterns.
  Filter/Exclusion: Exclude processes where process.name matches known legacy applications or filter by process.parent to identify child processes of a known legitimate parent process (e.g., init or systemd).

• Scenario: Automated Security Tool Scan
  Description: A security tool like Tripwire or AIDE runs a scan that uses dtrace or dbx to inspect system integrity, which may trigger the rule.
  Filter/Exclusion: Exclude processes where process.name matches known security tools or filter by process.parent to identify child processes of a known security tool process.

• **Scenario: User-Initiated System Diagnostics