Fragus Exploit Kit Detection

Hunt Hypothesis

Fragus Exploit Kit Detection identifies potential exploitation attempts by malicious actors using the Fragus Exploit Kit to deliver malware through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts that may evade traditional detection methods.

YARA Rule

rule fragus_js_flash : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "377431417b34de8592afecaea9aab95d"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "document.appendChild(bdy);try{for (i"
   $string1 = "0; i<10; i"
   $string2 = "default"
   $string3 = "var m "
   $string4 = "/g, document.getElementById('divid').innerHTML));"
   $string5 = " n.substring(0,r/2);"
   $string6 = "document.getElementById('f').innerHTML"
   $string7 = "'atk' onclick"
   $string8 = "function MAKEHEAP()"
   $string9 = "document.createElement('div');"
   $string10 = "<button id"
   $string11 = "/g, document.getElementById('divid').innerHTML);"
   $string12 = "document.body.appendChild(gg);"
   $string13 = "var bdy "
   $string14 = "var gg"
   $string15 = " unescape(gg);while(n.length<r/2) { n"
condition:
   15 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 16 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate Scheduled Job Execution
  Description: A scheduled job using schtasks.exe or at.exe runs a legitimate script or executable that matches the exploit kit’s signature.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or at.exe when the command line includes known legitimate scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command ...).

• Scenario: System Maintenance Task via Task Scheduler
  Description: A system maintenance task (e.g., disk cleanup, log rotation) is executed via Task Scheduler using schtasks.exe and includes a legitimate executable that matches the exploit kit’s signature.
  Filter/Exclusion: Exclude processes where the parent process is taskhost.exe and the command line includes known maintenance tools (e.g., cleanmgr.exe, logman.exe).

• Scenario: Admin Tool Usage for Patching
  Description: An administrator uses a legitimate patching tool (e.g., wsusscn2.cab, wusa.exe) that inadvertently matches the exploit kit’s signature.
  Filter/Exclusion: Exclude processes where the command line includes wusa.exe or wsusscn2.cab and the process is initiated by an admin account with a known patching task.

• Scenario: Log File Analysis with PowerShell
  Description: A security analyst uses PowerShell (powershell.exe) to analyze log files, and the script or command matches the exploit kit’s signature.
  Filter/Exclusion: Exclude processes where the parent process is explorer.exe or cmd.exe and the command line includes log analysis tools (e.g., Get-EventLog, Get-WinEvent).

• Scenario: Software Update via Microsoft Update