title: Moriya Rootkit
author: Bhabesh Raj
date: 2021/05/06
description: Detects the use of Moriya rootkit as described in the securelist's Operation
  TunnelSnake report
detection:
  SELECTION_1:
    EventID: 7045
  SELECTION_2:
    ServiceName: ZzNetSvc
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- None
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
level: critical
logsource:
  product: windows
  service: system
modified: 2021/09/21
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
ruletype: SIGMA