The detection identifies potential activity from the Sphinx Moth threat group associated with the file h2t.dat, which may indicate initial compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before it escalates.
YARA Rule
rule Sphinx_Moth_h2t
{
meta:
description = "sphinx moth threat group file h2t.dat"
author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
reference = "www.kudelskisecurity.com"
date = "2015-08-06"
strings:
$x1 = "%s <proxy ip> <proxy port> <target ip> <target port> <cmd> [arg1 cmd] ... [argX cmd]" fullword ascii
$s1 = "[-] Error in connection() %d - %s" fullword ascii
$s2 = "[-] Child process exit." fullword ascii
$s3 = "POST http://%s:%s/ HTTP/1.1" fullword ascii
$s4 = "pipe() to" fullword ascii
$s5 = "pipe() from" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 156KB and ($x1 or all of ($s*))
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: System update or patching process using WSUS (Windows Server Update Services)
Filter/Exclusion: process.parent_process == "C:\\Windows\\System32\\svchost.exe" && process.name == "wuauclt.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name == "vmbackup.exe" && process.parent_process == "C:\\Program Files\\Veeam\\Backup\\vmbackup.exe"
Scenario: Admin task involving PowerShell scripting for system configuration
Filter/Exclusion: process.name == "powershell.exe" && process.args contains "Microsoft.PowerShell.Management"
Scenario: Log file analysis using ELK Stack (Elasticsearch, Logstash, Kibana)
Filter/Exclusion: process.name == "logstash.exe" && process.args contains "file" && process.args contains "input"
Scenario: Database maintenance task using SQL Server Agent Job
Filter/Exclusion: process.name == "sqlservr.exe" && process.parent_process == "C:\\Windows\\System32\\sqlagent.exe"