Fragus Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging the Fragus Exploit Kit to deliver payloads through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and prevent lateral movement within the network.
YARA Rule
rule fragus_js_java : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "7398e435e68a2fa31607518befef30fb"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "I></XML><SPAN DATASRC"
$string1 = "setTimeout('vparivatel()',8000);function vparivatel(){document.write('<iframe src"
$string2 = "I DATAFLD"
$string3 = " unescape("
$string4 = ", 1);swf.setAttribute("
$string5 = "function XMLNEW(){var spray "
$string6 = "vparivatel.php"
$string7 = "6) ){if ( (lv"
$string8 = "'WIN 9,0,16,0')"
$string9 = "d:/Program Files/Outlook Express/WAB.EXE"
$string10 = "<XML ID"
$string11 = "new ActiveXObject("
$string12 = "'7.1.0') ){SHOWPDF('iepdf.php"
$string13 = "function SWF(){try{sv"
$string14 = "'WIN 9,0,28,0')"
$string15 = "C DATAFORMATAS"
$string16 = " shellcode;xmlcode "
$string17 = "function SNAPSHOT(){var a"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Legitimate scheduled system update via Windows Server Update Services (WSUS)
Filter/Exclusion: Check for ProcessName = "wusa.exe" and CommandLine containing wsus or update. Exclude processes initiated by the WSUS server or during scheduled update windows.
Scenario: Admin performing a manual patch deployment using Microsoft Endpoint Manager (MEM)
Filter/Exclusion: Filter for ProcessName = "msiexec.exe" with CommandLine containing /i or /update, and check for association with MEM or SCCM. Exclude processes initiated by known admin accounts or during patch windows.
Scenario: Regular backup job using Veeam or similar backup software
Filter/Exclusion: Identify processes like veeam.exe or vbragent.exe and check for backup-related command lines. Exclude processes running during scheduled backup windows or from known backup servers.
Scenario: IT staff using PowerShell for routine system configuration or compliance checks
Filter/Exclusion: Filter for ProcessName = "powershell.exe" with command lines containing Invoke-Command, Test-Connection, or Get-Service. Exclude processes initiated by privileged accounts or during known maintenance windows.
Scenario: Antivirus or endpoint protection software performing a full system scan
Filter/Exclusion: Identify processes like mpcmdrun.exe (Microsoft Defender) or avgnt.exe (Avast) and check for scan-related command lines. Exclude processes running during scheduled scans or from known security software.