The hypothesis is that the detection identifies potential exploitation attempts by the BlackHole2 Exploit Kit, which is commonly used to deliver malware and compromise systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they lead to data exfiltration or system compromise.
YARA Rule
rule blackhole2_jar3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "c7abd2142f121bd64e55f145d4b860fa"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "69/sj]]o"
$string1 = "GJk5Nd"
$string2 = "vcs.classu"
$string3 = "T<EssB"
$string4 = "1vmQmQ"
$string5 = "Kf1Ewr"
$string6 = "c$WuuuKKu5"
$string7 = "m.classPK"
$string8 = "chcyih.classPK"
$string9 = "hw.class"
$string10 = "f';;;;{"
$string11 = "vcs.classPK"
$string12 = "Vbhf_6"
condition:
12 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: A system administrator is using Microsoft Baseline Security Analyzer (MBSA) to perform a security scan and generates a report that includes BlackHole2-related strings.
Filter/Exclusion: Check for the presence of mbsa.exe or mbsa in the process name or command line.
Scenario: A scheduled backup job using Veeam Backup & Replication is configured to run a script that includes BlackHole2-related payloads for testing purposes.
Filter/Exclusion: Exclude processes associated with veeam.exe or check for the presence of a known test script or environment variable indicating a test scenario.
Scenario: An IT support tool like SolarWinds LCE is used to deploy patches and includes a temporary payload that matches BlackHole2 signatures during a patch deployment.
Filter/Exclusion: Filter out processes associated with solarwinds.exe or check for the presence of a patch deployment tool or known safe payload signature.
Scenario: A system update task using Windows Update triggers a script that includes BlackHole2-related strings for compatibility testing.
Filter/Exclusion: Exclude processes related to wuauclt.exe or check for the presence of a test environment flag or known safe script path.
Scenario: A network monitoring tool like Wireshark is used to capture and analyze traffic, and the captured data includes BlackHole2-related payloads for forensic analysis.
Filter/Exclusion: Exclude processes associated with wireshark.exe or check for the presence of a forensic analysis flag or known capture file signature.