Fragus Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging outdated or vulnerable software components to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule fragus_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "f234c11b5da9a782cb1e554f520a66cf"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "));ELI6Q3PZ"
$string1 = "VGhNU2pWQmMyUXhPSFI2TTNCVGVEUXpSR3huYm1aeE5UaFhXRFI0ZFhCQVMxWkRNVGh0V0hZNFZVYzBXWFJpTVRoVFpFUklaVGxG"
$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
$string3 = "TkhXa0ZrT1haNGRFSXhRM3BrTkRoVGMxZEJSMmcyT0dwNlkzSTJYM1pCYkZnMVVqQmpWMEZIYURZNGFucGpjalpmZGtGc1dERXpT"
$string4 = "byKZKkpZU<<18"
$string5 = ");CUer0x"
$string6 = "bzWRebpU3yE>>16"
$string7 = "RUJEWlVvMGNsVTVNMEpNWDNaNGJVSkpPRUJrUlVwRVQwQlNaR2cyY0ZWSE5GbDBRVFZ5UjFnMk9HVldOWGhMYUdFelRIZG5NMWQz"
$string8 = "WnZSVGxuT1ZSRkwwaFZSelZGUm5GRlJFVTBLVHQ0UWxKQ1drdzBiWEJ5WkhSdVBtdG9XVWd6TVVGSGFFeDVTMlk3ZUVKU1FscE1O"
$string9 = "QmZjMGN4YjBCd1oyOXBURUJJZEhvMFdYcGtOamhFV1ZwU01GVlZZbXBpUUZKV1lqTXpWMDAwY0dSNlF6aE1SekZ5ZEc4ME9FeEtN"
$string10 = "SCpMaWXOuME("
$string11 = "VjJKcVkxZGlYMTlhUVdRNVNUTkhaRFk0YWpsYWJsWkRNVGh0V0hZNFZVYzBXWFJ2Tm5CVmFEUlpWVmhDT0ZWV05YaDBRa1ZTUkUw"
$string12 = "2;}else{Yuii37DWU"
$string13 = "ELI6Q3PZ"
$string14 = "ZUhNNVZYQlZlRFY0UUZnMk9HMVlORkpFYkRsNGMxbEpPRUJSTVY5SGNETllPRXB0YjBsaloySnhPVVZ3UkZWQVgzTllORGgwV0RS"
$string15 = "S05GbE1lalk0Vm1ORmVEWnpXbEpXZDBWaU5ubzJjRlkzVjFsbFgwVmlURlpuYnpCUE5HNTBhRFpaVEZrMVFYTjZObkIwWTBVNE4x"
$string16 = "Vm5CWFFVZG9OamhxZW1OeU5sOTJRV3hZTVROSlpEWTRVM294V1VSUFFFdFdZalE0WlVjeGNsSmtObmhBYURVNFZVZEFjRlZDZGtO"
$string17 = "Yuii37DWU<<12"
$string18 = ";while(hdnR9eo3pZ6E3<ZZeD3LjJQ.length){eMImGB"
condition:
18 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 19 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that mimics the behavior of the Fragus Exploit Kit, such as downloading payloads or modifying registry keys.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or Windows Update. Use a filter like:
(process.name IN ("schtasks.exe", "wuauclt.exe")) OR (process.parent.name IN ("taskhost.exe"))Scenario: Admin Performing Manual Patching
Description: An administrator manually executes a script or tool to patch systems, which may include downloading files or modifying system configurations that resemble exploit kit activity.
Filter/Exclusion: Exclude processes initiated by admin accounts during known patching windows. Use a filter like:
(process.user.name == "Administrator") AND (process.name IN ("powershell.exe", "cmd.exe")) AND (event_id == 4688)Scenario: Log Management Tool Processing Logs
Description: A log management tool like Splunk or ELK Stack processes logs and may generate network traffic that matches the detection logic for Fragus.
Filter/Exclusion: Exclude traffic from known log management tools. Use a filter like:
(process.name IN ("splunkd.exe", "java.exe", "logstash.exe")) OR (process.parent.name IN ("splunkd.exe", "logstash.exe"))Scenario: Security Tool Performing Network Scanning
Description: A security tool like Nmap or OpenVAS performs network discovery and may trigger the rule due to its network activity patterns.
Filter/Exclusion: Exclude processes associated with network scanning tools. Use a filter like: