The Eleonore Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised websites to deliver payloads, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks before they escalate.
YARA Rule
rule eleonore_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "08f8488f1122f2388a0fd65976b9becd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "var de"
$string1 = "sdjk];"
$string2 = "return dfshk;"
$string3 = "function jkshdk(){"
$string4 = "'val';"
$string5 = "var sdjk"
$string6 = "return fsdjkl;"
$string7 = " window[d"
$string8 = "var fsdjkl"
$string9 = "function jklsdjfk() {"
$string10 = "function rewiry(yiyr,fjkhd){"
$string11 = " sdjd "
condition:
11 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a file or executing a command.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or Windows Update. Use a filter like:
(process.name = "schtasks.exe") or (process.name = "wuauclt.exe")Scenario: Admin Performing Remote Code Execution (RCE) for Patching
Description: An administrator uses a remote management tool like PsExec or WinRM to execute a script on a remote machine as part of a patching process.
Filter/Exclusion: Exclude commands executed via PsExec or WinRM by checking the command line arguments:
(process.name = "psexec.exe") or (process.name = "winrm.exe")Scenario: Log File Analysis Tool Processing Data
Description: A log analysis tool like ELK Stack or Splunk processes logs and temporarily executes a script or command that resembles exploit kit behavior.
Filter/Exclusion: Exclude processes related to log analysis tools by checking the process name or parent process:
(process.name = "logstash.exe") or (process.name = "splunkd.exe")Scenario: Software Deployment via Group Policy
Description: A Group Policy Object (GPO) triggers a deployment script that downloads or executes a file as part of software installation.
Filter/Exclusion: Exclude processes initiated by Group Policy by checking the parent process or command line:
(parent.process.name = "services.exe") or (command_line contains "gpupdate")