33 lines
894 B
YAML
33 lines
894 B
YAML
title: Moriya Rootkit
|
|
author: Bhabesh Raj
|
|
date: 2021/05/06
|
|
description: Detects the use of Moriya rootkit as described in the securelist's Operation
|
|
TunnelSnake report
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 11
|
|
SELECTION_2:
|
|
TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys
|
|
condition: (SELECTION_1 and SELECTION_2)
|
|
falsepositives:
|
|
- None
|
|
id: a1507d71-0b60-44f6-b17c-bf53220fdd88
|
|
level: critical
|
|
logsource:
|
|
category: file_event
|
|
product: windows
|
|
modified: 2021/09/21
|
|
references:
|
|
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
|
|
related:
|
|
- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
|
|
type: derived
|
|
status: experimental
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.t1543.003
|
|
yml_filename: file_event_moriya_rootkit.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
|
|
|