The hypothesis is that the detection identifies potential exploitation attempts by the BlackHole2 Exploit Kit, which is known to deliver malicious payloads through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts before they lead to full-scale attacks.
YARA Rule
rule blackhole2_htm8 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
hash1 = "1e2ba0176787088e3580dfce0245bc16"
hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
hash3 = "f5e16a6cd2c2ac71289aaf1c087224ee"
hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
hash7 = "6702efdee17e0cd6c29349978961d9fa"
hash8 = "287dca9469c8f7f0cb6e5bdd9e2055cd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ">Description</a></th></tr><tr><th colspan"
$string1 = ">Name</a></th><th><a href"
$string2 = "main.js"
$string3 = "datepicker.js"
$string4 = "form.js"
$string5 = "<address>Apache/2.2.15 (CentOS) Server at online-moo-viii.net Port 80</address>"
$string6 = "wysiwyg.js"
condition:
6 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: System update or patching process using Microsoft Update or WSUS
Filter/Exclusion: Check for process.name containing “wusa.exe” or “wuauclt.exe” and filter out known update processes.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter out processes with process.name containing “veeam” or “backup” and check for known backup-related command lines.
Scenario: Administrative task using PowerShell for system configuration
Filter/Exclusion: Exclude PowerShell scripts that include known administrative tools like Invoke-Command, Register-ScheduledTask, or Set-ItemProperty.
Scenario: Log collection or monitoring tool like Splunk or ELK Stack
Filter/Exclusion: Filter processes with process.name containing “splunkd.exe”, “logstash”, or “kibana” and check for known log collection activities.
Scenario: Internal penetration testing using Metasploit or Nmap
Filter/Exclusion: Exclude processes with process.name containing “msfconsole”, “nmap”, or “metasploit” and check for known test environments or lab IPs.