The hypothesis is that the detection identifies potential exploitation attempts by the BlackHole2 Exploit Kit, which is commonly used to deliver malware through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they lead to data exfiltration or system compromise.
YARA Rule
rule blackhole2_pdf : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "d1e2ff36a6c882b289d3b736d915a6cc"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
$string1 = "0000036095 00000 n"
$string2 = "http://www.xfa.org/schema/xfa-locale-set/2.1/"
$string3 = "subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T<FEFF0049006D00"
$string4 = "0000000026 65535 f"
$string5 = "0000029039 00000 n"
$string6 = "0000029693 00000 n"
$string7 = "%PDF-1.6"
$string8 = "27 0 obj<</Subtype/Type0/DescendantFonts 28 0 R/BaseFont/KLGNYZ"
$string9 = "0000034423 00000 n"
$string10 = "0000000010 65535 f"
$string11 = ">stream"
$string12 = "/Pages 2 0 R%/StructTreeRoot 5 0 R/Type/Catalog>>"
$string13 = "19 0 obj<</Subtype/Type1C/Length 23094/Filter/FlateDecode>>stream"
$string14 = "0000003653 00000 n"
$string15 = "0000000023 65535 f"
$string16 = "0000028250 00000 n"
$string17 = "iceRGB>>>>/XStep 9.0/Type/Pattern/TilingType 2/YStep 9.0/BBox[0 0 9 9]>>stream"
$string18 = "<</Root 1 0 R>>"
condition:
18 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 19 string patterns in its detection logic.
Scenario: Scheduled system maintenance using task scheduler to run a legitimate script that downloads a file from a known CDN (e.g., cloudfront.net or akamai.net).
Filter/Exclusion: Exclude traffic from known CDNs or filter based on source IP ranges associated with CDN providers.
Scenario: Admin performing a software update using Windows Update or WSUS that includes a legitimate payload (e.g., setup.exe or patch.exe) from Microsoft servers.
Filter/Exclusion: Exclude traffic to Microsoft update servers (update.microsoft.com, download.microsoft.com) or filter based on known update file names.
Scenario: IT staff using PowerShell to deploy a configuration script that includes a legitimate download from an internal repository (e.g., internal-repo.company.com).
Filter/Exclusion: Exclude traffic to internal repositories or filter based on internal IP ranges or FQDNs.
Scenario: User downloading a legitimate exploit mitigation tool (e.g., Microsoft Baseline Security Analyzer or CVE patch tool) from a trusted source (e.g., microsoft.com).
Filter/Exclusion: Exclude traffic to Microsoft’s public servers or filter based on known safe file names and domains.
Scenario: System running a legitimate security scan using Nessus or OpenVAS that connects to a remote server to fetch vulnerability data.
Filter/Exclusion: Exclude traffic to known security scanner servers or filter based on the specific IP addresses or domains used by the scanner.