The Angler Exploit Kit Redirector detects potential adversary behavior where malicious redirects are used to deliver exploit kits, often as part of multi-stage attacks. SOC teams should proactively hunt for this in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to deeper network infiltration.
YARA Rule
rule AnglerEKredirector : EK
{
meta:
description = "Angler Exploit Kit Redirector"
ref = "http://blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/"
author = "adnan.shukor@gmail.com"
date = "08-July-2015"
impact = "5"
version = "1"
strings:
$ekr1 = "<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);" fullword
$ekr2 = "document.cookie=\"PHP_SESSION_PHP="
$ekr3 = "path=/; expires=\"+date.toUTCString();</script>" fullword
$ekr4 = "<iframe src=" fullword
$ekr5 = "</iframe></div>" fullword
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate system update via Windows Update
Filter/Exclusion: process.name != "wuauclt.exe" or process.parent.name != "services.exe"
Scenario: Scheduled job running a legitimate exploit mitigation tool (e.g., Microsoft Exploit Protection)
Filter/Exclusion: process.name != "mpcmdrun.exe" or process.parent.name != "taskeng.exe"
Scenario: Admin performing a manual malware scan using Microsoft Defender ATP
Filter/Exclusion: process.name != "MsMpEng.exe" or process.parent.name != "explorer.exe"
Scenario: User executing a legitimate security tool (e.g., Malwarebytes) for routine scanning
Filter/Exclusion: process.name != "mbam.exe" or process.parent.name != "explorer.exe"
Scenario: Internal tool used for network monitoring or traffic analysis (e.g., Wireshark)
Filter/Exclusion: process.name != "wireshark.exe" or process.parent.name != "explorer.exe"