Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Sigma rule (View on GitHub)
1title: Moriya Rootkit File Created
2id: a1507d71-0b60-44f6-b17c-bf53220fdd88
3related:
4 - id: 25b9c01c-350d-4b95-bed1-836d04a4f324
5 type: derived
6status: test
7description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
8references:
9 - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
10author: Bhabesh Raj
11date: 2021/05/06
12modified: 2023/05/05
13tags:
14 - attack.persistence
15 - attack.privilege_escalation
16 - attack.t1543.003
17 - detection.emerging_threats
18logsource:
19 product: windows
20 category: file_event
21detection:
22 selection:
23 TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
24 condition: selection
25falsepositives:
26 - Unknown
27level: critical
References
Related rules
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security
- SOURGUM Actor Behaviours
- Malicious Service Installations
- New Service Creation Using PowerShell