The Miracl mirsys init rule detects potential adversary behavior involving the initialization of a Mirsys service, which may indicate unauthorized system configuration or persistence. SOC teams should proactively hunt for this activity in Azure Sentinel to identify and mitigate potential compromise of critical infrastructure components.
YARA Rule
rule Miracl_mirsys_init
{ meta:
author = "Maxx"
description = "Miracl mirsys init"
strings:
$c0 = { 53 55 57 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 DB A3 ?? ?? ?? ?? 3B C3 75 06 5F 5D 33 C0 5B C3 89 58 1C A1 ?? ?? ?? ?? BD 01 00 00 00 89 58 20 A1 ?? ?? ?? ?? 8B 50 1C 42 89 50 1C A1 ?? ?? ?? ?? 8B 48 1C C7 44 88 20 1D 00 00 00 8B 15 ?? ?? ?? ?? 89 9A 14 02 00 00 A1 ?? ?? ?? ?? 89 98 70 01 00 00 8B 0D ?? ?? ?? ?? 89 99 78 01 00 00 8B 15 ?? ?? ?? ?? 89 9A 98 01 00 00 A1 ?? ?? ?? ?? 89 58 14 8B 44 24 14 3B C5 0F 84 6C 05 00 00 3D 00 00 00 80 0F 87 61 05 00 00 50 E8 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System initialization during boot process
Filter/Exclusion: process.parent_process != "init" or process.parent_process != "systemd"
Scenario: Legitimate admin task using Miracl for authentication setup
Filter/Exclusion: process.name != "mirsys" or process.args != "init"
Scenario: Scheduled job to initialize Miracl services during maintenance window
Filter/Exclusion: process.parent_process != "cron" or process.command_line != "mirsys init"
Scenario: Miracl service being restarted by a system update or patching tool
Filter/Exclusion: process.name != "systemd" or process.service_name != "mirsys"
Scenario: Testing or development environment triggering the init command manually
Filter/Exclusion: process.hostname != "dev-*" or process.user != "test_user"