The hypothesis is that the detection identifies potential exploitation attempts by the BlackHole2 Exploit Kit, which is commonly used to deliver malware through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they lead to data exfiltration or system compromise.
YARA Rule
rule blackhole2_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "86946ec2d2031f2b456e804cac4ade6d"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "k0/3;N"
$string1 = "g:WlY0"
$string2 = "(ww6Ou"
$string3 = "SOUGX["
$string4 = "7X2ANb"
$string5 = "r8L<;zYH)"
$string6 = "fbeatbea/fbeatbee.classPK"
$string7 = "fbeatbea/fbeatbec.class"
$string8 = "fbeatbea/fbeatbef.class"
$string9 = "fbeatbea/fbeatbef.classPK"
$string10 = "fbeatbea/fbeatbea.class"
$string11 = "fbeatbea/fbeatbeb.classPK"
$string12 = "nOJh-2"
$string13 = "[af:Fr"
condition:
13 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task (e.g., schtasks.exe or Task Scheduler) is executing a script that mimics exploit kit behavior.
Filter/Exclusion: Check for process.parent_process containing Task Scheduler or schtasks.exe, and filter out scripts known to be part of standard maintenance routines.
Scenario: Admin Performing Remote Code Execution (RCE) via PowerShell
Description: An administrator is using PowerShell (powershell.exe) to perform a remote code execution task, such as deploying patches or configuration changes.
Filter/Exclusion: Filter out processes where process.user is a known admin account (e.g., Administrator) and process.name is powershell.exe with a known legitimate script path.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Malwarebytes or Kaspersky is performing a full system scan, which may trigger heuristic-based detection of exploit kit components.
Filter/Exclusion: Include a filter for process.name containing mbam.exe, kav.exe, or other known antivirus processes, and exclude any activity during scheduled scan windows.
Scenario: Software Update Deployment via SCCM
Description: A Software Center or Configuration Manager (SCCM) update deployment is executing a payload that matches the exploit kit signature.
Filter/Exclusion: Filter for process.parent_process containing ccmexec.exe or smsts.exe, and exclude any activity related to known update packages.
Scenario: Legitimate Network Monitoring Tool Behavior
Description: A network monitoring tool like Wireshark or tcpdump is capturing traffic that includes exploit kit-related payloads for analysis.
Filter/Exclusion: Filter for `