Rule to detect log cleaner based on wipe.c

Hunt Hypothesis

Adversaries may use the wipe.c tool to erase log files and obscure their presence, reducing the likelihood of detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential log tampering and uncover hidden malicious activity.

YARA Rule

rule apt_RU_MoonlightMaze_wipe {

meta:
	
	author = "Kaspersky Lab"
	date = "2017-03-27"
	version = "1.0"
	last_modified = "2017-03-27"
	reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
	description = "Rule to detect log cleaner based on wipe.c"
	reference2 = "http://www.afn.org/~afn28925/wipe.c"
	hash = "e69efc504934551c6a77b525d5343241"

strings:

	$a1="ERROR: Unlinking tmp WTMP file."
	$a2="USAGE: wipe [ u|w|l|a ] ...options..."
	$a3="Erase acct entries on tty :   wipe a [username] [tty]"
	$a4="Alter lastlog entry       :   wipe l [username] [tty] [time] [host]"

condition:

	(uint32(0)==0x464c457f) and (2 of them)

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://en.wikipedia.org/wiki/Moonlight_Maze
• Source Rule

False Positive Guidance

• Scenario: Scheduled Log Rotation via logrotate
  Description: The wipe.c file may be accessed during log rotation by logrotate, which is a standard tool for managing log files.
  Filter/Exclusion: Check for process.name = logrotate or process.args containing /etc/logrotate.conf or similar configuration files.

• Scenario: System Maintenance Task Using wipe Command
  Description: An admin may use the wipe command (from the wipe package) to securely delete files, which could trigger the rule.
  Filter/Exclusion: Filter by process.name = wipe and check for known secure deletion patterns or user context (e.g., user.name = root or admin).

• Scenario: Log Cleanup via logclean Script
  Description: A custom or third-party script named logclean might be used to clean up old logs, potentially triggering the rule.
  Filter/Exclusion: Use process.name = logclean or check for script paths like /usr/local/bin/logclean or /opt/logclean.sh.

• Scenario: Disk Space Management via rm or find
  Description: System administrators may use rm or find with wildcards to delete old log files, which could be mistaken for log cleaning.
  Filter/Exclusion: Filter by process.name = rm or find, and check for patterns like *.log or logs/ in the command line arguments.

• Scenario: Security Tool or SIEM Agent Writing to /var/log/wipe.c
  Description: Some security tools or SIEM agents might write to /var/log/wipe.c as part of their logging or configuration, causing false positives.