BlackHole2 Exploit Kit Detection

Hunt Hypothesis

The hypothesis is that the detection identifies potential exploitation attempts by the BlackHole2 Exploit Kit, which is commonly used to deliver malware and establish command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts before they lead to full-scale attacks.

YARA Rule

rule blackhole2_htm12 : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-27"
   description = "BlackHole2 Exploit Kit Detection"
   hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
   hash1 = "6f27377115ba5fd59f007d2cb3f50b35"
   hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
   hash3 = "06997228f2769859ef5e4cd8a454d650"
   hash4 = "11062eea9b7f2a2675c1e60047e8735c"
   hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
   hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
   hash7 = "4ec720cfafabd1c9b1034bb82d368a30"
   hash8 = "ecd7d11dc9bb6ee842e2a2dce56edc6f"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "  <title>Index of /data</title>"
   $string1 = "<tr><th colspan"
   $string2 = "</body></html>"
   $string3 = "> 20K</td><td>"
   $string4 = "/icons/layout.gif"
   $string5 = " <body>"
   $string6 = ">Name</a></th><th><a href"
   $string7 = ">spn.jar</a></td><td align"
   $string8 = ">spn2.jar</a></td><td align"
   $string9 = " <head>"
   $string10 = "-//W3C//DTD HTML 3.2 Final//EN"
   $string11 = "> 10K</td><td>"
   $string12 = ">7.9K</td><td>"
   $string13 = ">Size</a></th><th><a href"
   $string14 = "><hr></th></tr>"
condition:
   14 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 15 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: process.name != "vbm.exe" or process.name != "vpxa.exe"

• Scenario: Admin performing Windows Update or Group Policy deployment
  Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "gupdate.exe"

• Scenario: Running PowerShell scripts for routine system maintenance or configuration management
  Filter/Exclusion: process.name != "powershell.exe" or process.args not containing "script.ps1"

• Scenario: Logon scripts executed during user authentication (e.g., via Powershell or cmd.exe)
  Filter/Exclusion: process.name != "cmd.exe" or process.name != "powershell.exe" and process.args not containing "logon.bat"

• Scenario: Database backup jobs using SQL Server Agent or MySQL Backup Tool
  Filter/Exclusion: process.name != "sqlservr.exe" or process.name != "mysqldump.exe"