Moriya Rootkit File Created

calendar Jun 20, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003 detection.emerging_threats  ·
Share on: linkedin copy

Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.

Sigma rule (View on GitHub)

 1title: Moriya Rootkit File Created
 2id: a1507d71-0b60-44f6-b17c-bf53220fdd88
 3related:
 4    - id: 25b9c01c-350d-4b95-bed1-836d04a4f324
 5      type: derived
 6status: test
 7description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
 8references:
 9    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
10author: Bhabesh Raj
11date: 2021/05/06
12modified: 2023/05/05
13tags:
14    - attack.persistence
15    - attack.privilege_escalation
16    - attack.t1543.003
17    - detection.emerging_threats
18logsource:
19    product: windows
20    category: file_event
21detection:
22    selection:
23        TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
24    condition: selection
25falsepositives:
26    - Unknown
27level: critical

References

  • Operation TunnelSnake

    A newly discovered rootkit 'Moriya' is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel.


    Read More

Related rules

to-top