Angler Exploit Kit activity is detected through unusual network traffic patterns and suspicious file execution behavior indicative of exploit kit deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from Angler, which is known for delivering malware via exploit kits.
YARA Rule
rule angler_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "482d6c24a824103f0bcd37fa59e19452"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " 2654435769, Be"
$string1 = "DFOMIqka "
$string2 = ", Zydr$>>16"
$string3 = "DFOMIqka( 'OPPj_phuPuiwzDFo')"
$string4 = "U0BNJWZ9J0vM43TnlNZcWnZjZSelQZlb1HGTTllZTm19emc0dlsYF13GvhQJmTZmbVMxallMdhWW948YWi t P b50GW"
$string5 = " auSt;"
$string6 = " eval (NDbMFR "
$string7 = "jWUwYDZhNVyMI2TzykEYjWk0MDM5MA%ZQ1TD1gEMzj 3 D ',"
$string8 = "('fE').substr (2 , 1 "
$string9 = ", -1 "
$string10 = " ) );Zydr$ [ 1]"
$string11 = " 11;PsKnARPQuNNZMP<9;PsKnARPQuNNZMP"
$string12 = "new Array (2), Ykz"
$string13 = "<script> "
$string14 = "); CYxin "
$string15 = "Zydr$ [ 1]"
$string16 = "var tKTGVbw,auSt, vnEihY, gftiUIdV, XnHs, UGlMHG, KWlqCKLfCV;"
$string17 = "reXKyQsob1reXKyQsob3 "
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a payload or modifying system files.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or Windows Update, or filter by process name such as schtasks.exe or wuauclt.exe.
Scenario: Admin Performing Patch Deployment
Description: An administrator uses a tool like Microsoft Baseline Security Analyzer (MBSA) or Windows Server Update Services (WSUS) to deploy patches, which may involve downloading and executing scripts.
Filter/Exclusion: Exclude processes related to patch management tools or filter by IP addresses associated with internal patch servers.
Scenario: Internal Security Tool Testing
Description: A security tool like Nessus or OpenVAS is used for vulnerability scanning and may trigger similar network activity to an exploit kit.
Filter/Exclusion: Exclude traffic from known security scanning tools or filter by source IP addresses associated with internal security tools.
Scenario: User-Initiated Software Installation
Description: A user installs a legitimate software package that includes a downloader or installer script, which may trigger the same network behavior as an exploit kit.
Filter/Exclusion: Exclude processes initiated by user interaction or filter by known software installers like msiexec.exe or setup.exe.
Scenario: Log Collection and Monitoring Tool Activity
Description: A log collection tool like Splunk or ELK Stack may execute scripts or connect to remote servers for data aggregation, which could be mistaken for exploit kit activity.
Filter/Exclusion: Exclude traffic from log management tools or filter by known log collection processes and IP ranges.