The detection identifies potential adversary activity associated with the Sphinx Moth threat group, specifically the presence of the kerberos32.dll file, which may indicate malicious code execution or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromises and mitigate lateral movement risks.
YARA Rule
rule Sphinx_Moth_kerberos32
{
meta:
description = "sphinx moth threat group file kerberos32.dll"
author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
reference = "www.kudelskisecurity.com"
date = "2015-08-06"
strings:
$x1 = "%WINDIR%\\ativpsrz.bin" fullword ascii
$x2 = "%WINDIR%\\ativpsrn.bin" fullword ascii
$x3 = "kerberos32.dll" fullword wide
$x4 = "KERBEROS64.dll" fullword ascii
$x5 = "kerberos%d.dll" fullword ascii
$s1 = "\\\\.\\pipe\\lsassp" fullword ascii
$s2 = "LSASS secure pipe" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "NullSessionPipes" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "getlog" fullword ascii
$s5 = "startlog" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "stoplog" fullword ascii /* PEStudio Blacklist: strings */
$s7 = "Unsupported OS (%d)" fullword ascii /* PEStudio Blacklist: strings */
$s8 = "Unsupported OS (%s)" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (2 of ($x*) or all of ($s*))
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: Legitimate system update or patching process that includes kerberos32.dll
Filter/Exclusion: Check for the presence of update tools like wusa.exe or msiexec.exe in the process tree, or filter by file modification timestamps matching known patch schedules.
Scenario: Scheduled job running a legitimate script that references kerberos32.dll (e.g., via cmd.exe or powershell.exe)
Filter/Exclusion: Filter by process name (cmd.exe or powershell.exe) and check for known scheduled tasks using tools like schtasks.exe or Task Scheduler logs.
Scenario: Administrative task involving Active Directory operations that requires kerberos32.dll (e.g., using adsiedit.msc or dsmig.exe)
Filter/Exclusion: Filter by process names such as adsiedit.exe, dsmig.exe, or adsutil.vbs, and check for AD-related command-line tools.
Scenario: Antivirus or endpoint protection tool performing a scan or quarantine operation that temporarily accesses kerberos32.dll
Filter/Exclusion: Filter by process names like mpsvc.exe, mfev.exe, or avastui.exe, and check for known security software processes.
Scenario: Custom application or service that dynamically loads kerberos32.dll for authentication purposes (e.g., using LoadLibrary in a .NET or native application)
Filter/Exclusion: Filter by application-specific process names or check for known internal applications using tools like Process Monitor or ProcMon logs.