Moriya Rootkit - System

calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1543.003  ·
Share on: linkedin copy

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Sigma rule (View on GitHub)

 1title: Moriya Rootkit - System
 2id: 25b9c01c-350d-4b95-bed1-836d04a4f324
 3status: test
 4description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
 5references:
 6    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
 7author: Bhabesh Raj
 8date: 2021-05-06
 9modified: 2022-11-29
10tags:
11    - attack.persistence
12    - attack.privilege-escalation
13    - attack.t1543.003
14logsource:
15    product: windows
16    service: system
17detection:
18    selection:
19        Provider_Name: 'Service Control Manager'
20        EventID: 7045
21        ServiceName: ZzNetSvc
22    condition: selection
23falsepositives:
24    - Unknown
25level: critical

References

  • Operation TunnelSnake

    A newly discovered rootkit 'Moriya' is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel.


    Read More

Related rules

to-top