The hypothesis is that the detection rule identifies potential Moonlight Maze ‘xk’ keylogger activity through suspicious process creation or file execution patterns indicative of malware behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term persistence and data exfiltration risks associated with advanced persistent threats.
YARA Rule
rule apt_RU_MoonlightMaze_xk_keylogger {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect Moonlight Maze 'xk' keylogger"
strings:
$a1="Log ended at => %s"
$a2="Log started at => %s [pid %d]"
$a3="/var/tmp/task" fullword
$a4="/var/tmp/taskhost" fullword
$a5="my hostname: %s"
$a6="/var/tmp/tasklog"
$a7="/var/tmp/.Xtmp01" fullword
$a8="myfilename=-%s-"
$a9="/var/tmp/taskpid"
$a10="mypid=-%d-" fullword
$a11="/var/tmp/taskgid" fullword
$a12="mygid=-%d-" fullword
condition:
((3 of ($a*)))
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Legitimate scheduled job for system maintenance
Description: A system administrator schedules a maintenance task using schtasks.exe that temporarily creates a file with a name similar to the keylogger’s signature.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command line or check for the presence of a scheduled task with a known benign purpose.
Scenario: PowerShell script for log analysis
Description: A security analyst runs a PowerShell script using powershell.exe that generates temporary files with names resembling the keylogger’s behavior as part of log analysis.
Filter/Exclusion: Exclude processes where the command line includes -Command or -File with a known legitimate script path, or filter by user context (e.g., only exclude if run by a non-admin user).
Scenario: Antivirus or endpoint protection tool updating its database
Description: An endpoint protection tool like Microsoft Defender or Kaspersky updates its virus definitions, which may temporarily create files with names that match the keylogger’s signature.
Filter/Exclusion: Exclude processes associated with known antivirus tools (e.g., MsMpEng.exe, KavService.exe) or filter based on the process name and parent process.
Scenario: Admin task for user profile cleanup
Description: An administrator uses cleanmgr.exe or diskcleanup.exe to clean up user profiles, which may result in temporary files that match the keylogger’s file patterns.
Filter/Exclusion: Exclude processes initiated by cleanmgr.exe or diskcleanup.exe or filter based on the presence of a known cleanup command line.
Scenario: Legitimate keylogging for user behavior analysis
Description: A legitimate tool like Keylogger Analyzer or User Activity Monitor is used by the