Eleonore Exploit Kit Detection

Hunt Hypothesis

The Eleonore Exploit Kit Detection identifies potential exploitation attempts by malicious actors using this kit to deliver malware via compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage attacks and prevent lateral movement and data exfiltration.

YARA Rule

rule eleonore_jar3 : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Eleonore Exploit Kit Detection"
   hash0 = "f65f3b9b809ebf221e73502480ab6ea7"
   sample_filetype = "unknown"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "16lNYF2V"
   $string1 = "META-INF/MANIFEST.MFPK"
   $string2 = "ghsdr/Jewredd.classPK"
   $string3 = "ghsdr/Gedsrdc.class"
   $string4 = "e[<n55"
   $string5 = "ghsdr/Gedsrdc.classPK"
   $string6 = "META-INF/"
   $string7 = "na}pyO"
   $string8 = "9A1.F\\"
   $string9 = "ghsdr/Kocer.class"
   $string10 = "MXGXO8"
   $string11 = "ghsdr/Kocer.classPK"
   $string12 = "ghsdr/Jewredd.class"
condition:
   12 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 13 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a file or modifying registry keys.
  Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"

• Scenario: Admin Performing Patch Deployment
  Description: An administrator uses a tool like WSUS or Microsoft Update to deploy patches, which may involve downloading files from external servers.
  Filter/Exclusion: process.name == "wuauclt.exe" or process.command_line contains "wusa.exe"

• Scenario: Log Management Tool Collecting Data
  Description: A log management tool like Splunk or ELK Stack is configured to collect logs from remote servers, which may involve outbound connections.
  Filter/Exclusion: process.name == "splunkd.exe" or process.name == "logstash.exe"

• Scenario: Database Backup Job
  Description: A database backup job using SQL Server Agent or Oracle Scheduler may involve network communication with a remote backup server.
  Filter/Exclusion: process.name == "sqlservr.exe" or process.command_line contains "sqlagent.exe"

• Scenario: Security Tool Performing Network Scan
  Description: A security tool like Nmap or OpenVAS is used to scan internal networks, which may trigger outbound connections resembling exploit kit activity.
  Filter/Exclusion: process.name == "nmap.exe" or process.name == "openvas.exe"