sphinx moth threat group file kerberos64.dll

Hunt Hypothesis

The detection identifies the presence of the kerberos64.dll file, which is associated with the Sphinx Moth threat group, indicating potential adversary activity leveraging Kerberos protocol for lateral movement or persistence. SOC teams should proactively hunt for this file in Azure Sentinel to identify and mitigate early-stage compromise by advanced persistent threats.

YARA Rule

rule Sphinx_Moth_kerberos64 
{ 

    meta:
        description = "sphinx moth threat group file kerberos64.dll" 
        author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
        reference = "www.kudelskisecurity.com"
        date = "2015-08-06"

    strings:
        $s0 = "KERBEROS64.dll" fullword ascii
        $s1 = "zeSecurityDescriptor" fullword ascii
        $s2 = "SpGetInfo" fullword ascii
        $s3 = "SpShutdown" fullword ascii
        $op0 = { 75 05 e8 6a c7 ff ff 48 8b 1d 47 d6 00 00 33 ff } /* Opcode */ 
        $op1 = { 48 89 05 0c 2b 01 00 c7 05 e2 29 01 00 09 04 00 } /* Opcode */ 
        $op2 = { 48 8d 3d e3 ee 00 00 ba 58 } /* Opcode */

    condition:
        uint16(0) == 0x5a4d and filesize < 406KB and all of ($s*) and 1 of ($op*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• www.kudelskisecurity.com
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs kerberos64.dll as part of a system update or maintenance process.
  Filter/Exclusion: Check for CommandLine containing schtasks.exe or Task Scheduler context, or filter by ProcessName matching svchost.exe or taskhost.exe.

• Scenario: Microsoft Windows Update Process
  Description: The kerberos64.dll file is accessed during a Windows Update operation, which is a normal system behavior.
  Filter/Exclusion: Filter by ImageLoaded or ProcessName matching wuauclt.exe or svchost.exe with Windows Update service context.

• Scenario: Microsoft Active Directory Replication
  Description: The file is accessed during Active Directory replication or Kerberos ticket management by domain controllers.
  Filter/Exclusion: Filter by ProcessName matching ntdsutil.exe, dcdiag.exe, or repadmin.exe, or check for Domain Controller system role.

• Scenario: Legitimate Security Software Integration
  Description: A security tool like Microsoft Defender or CrowdStrike may use kerberos64.dll for credential protection or Kerberos integration.
  Filter/Exclusion: Filter by ProcessName matching MsMpEng.exe, mpsvc.exe, or crowdstrike.exe, or check for Security Software process context.

• Scenario: Admin-Initiated Kerberos Ticket Renewal
  Description: An administrator manually renews Kerberos tickets using tools like klist.exe or kinit.exe, which may access kerberos64.dll.
  Filter/Exclusion: Filter by CommandLine containing klist.exe, kinit.exe, or `