Angler Exploit Kit activity is detected through unusual network traffic patterns and suspicious file execution behaviors indicative of exploit kit deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from Angler, which is known for delivering malware and ransomware payloads.
YARA Rule
rule angler_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "3de78737b728811af38ea780de5f5ed7"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "myftysbrth"
$string1 = "classPK"
$string2 = "8aoadN"
$string3 = "j5/_<F"
$string4 = "FXPreloader.class"
$string5 = "V4w\\K,"
$string6 = "W\\Vr2a"
$string7 = "META-INF/MANIFEST.MF"
$string8 = "Na8$NS"
$string9 = "_YJjB'"
condition:
9 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Scheduled system update via Windows Update
Filter/Exclusion: process.parent_process != "svchost.exe" OR process.name != "wusa.exe"
Scenario: Legitimate use of Metasploit for penetration testing
Filter/Exclusion: process.name != "msfconsole.exe" OR process.parent_process != "msfconsole.exe"
Scenario: Admin performing a PowerShell-based system cleanup
Filter/Exclusion: process.name != "powershell.exe" OR process.parent_process != "explorer.exe"
Scenario: Automated backup job using Veeam Backup & Replication
Filter/Exclusion: process.name != "vmrun.exe" OR process.parent_process != "veeam.exe"
Scenario: User running a legitimate exploit mitigation tool like Cisco Talos Intelligence
Filter/Exclusion: process.name != "talos-intel.exe" OR process.parent_process != "explorer.exe"