The BlackHole2 Exploit Kit Detection identifies potential exploitation attempts by unusual network traffic patterns indicative of malicious payloads being exfiltrated. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise by exploit kits that may lead to persistent threats.
YARA Rule
rule blackhole2_css : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "9664a16c65782d56f02789e7d52359cd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string1 = "background:url('%%?a=img&img=countries.gif')"
$string2 = "background:url('%%?a=img&img=exploit.gif')"
$string3 = "background:url('%%?a=img&img=oses.gif')"
$string4 = "background:url('%%?a=img&img=browsers.gif')"
$string5 = "background:url('%%?a=img&img=edit.png')"
$string6 = "background:url('%%?a=img&img=add.png')"
$string7 = "background:url('%%?a=img&img=accept.png')"
$string8 = "background:url('%%?a=img&img=del.png')"
$string9 = "background:url('%%?a=img&img=stat.gif')"
condition:
18 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm.exe" or process.name != "vbackup.exe"
Scenario: Admin performing Windows Update via Group Policy
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "msiexec.exe"
Scenario: Running PowerShell scripts for routine system maintenance
Filter/Exclusion: process.name != "powershell.exe" or script.name != "maintenance.ps1"
Scenario: Log management tool like Splunk or ELK Stack collecting logs
Filter/Exclusion: process.name != "splunkd.exe" or process.name != "logstash.jar"
Scenario: Database backup job using SQL Server Agent
Filter/Exclusion: process.name != "sqlservr.exe" or process.name != "sqlagent.exe"