Adversaries may use log cleaners based on utclean.c to remove evidence of their activity from system logs, making detection and incident response more difficult. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential log tampering before it impacts forensic analysis or incident response efforts.
YARA Rule
rule apt_RU_MoonlightMaze_u_logcleaner {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect log cleaners based on utclean.c"
reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c"
hash = "d98796dcda1443a37b124dbdc041fe3b"
hash = "73a518f0a73ab77033121d4191172820"
strings:
$a1="Hiding complit...n"
$a2="usage: %s <username> <fixthings> [hostname]"
$a3="ls -la %s* ; /bin/cp ./wtmp.tmp %s; rm ./wtmp.tmp"
condition:
(uint32(0)==0x464c457f) and (any of them)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled log rotation or cleanup task using logrotate
Filter/Exclusion: Check for process names like logrotate or command-line arguments containing logrotate, and exclude entries where the process is initiated by a known log rotation service.
Scenario: System maintenance task using utclean.c as part of a legitimate cleanup script
Filter/Exclusion: Exclude processes where the command line includes /usr/sbin/utclean or other known system maintenance scripts, and verify the script’s origin from a trusted system directory.
Scenario: Admin manually cleaning up logs using a custom script or tool
Filter/Exclusion: Filter out processes initiated by user accounts with elevated privileges (e.g., root, admin) and where the command line includes known log-cleaning tools like logclean, logrotate, or find.
Scenario: Log file compression using gzip or bzip2 as part of a scheduled job
Filter/Exclusion: Exclude processes where the command line includes gzip, bzip2, or tar and the operation is performed on log files in a known log directory (e.g., /var/log).
Scenario: Security tool or SIEM system purging old logs
Filter/Exclusion: Exclude processes associated with SIEM tools (e.g., Splunk, ELK stack) or security tools that perform log purging, and verify the process is initiated by a known SIEM or log management service.