Fragus Exploit Kit Detection

Hunt Hypothesis

The Fragus Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging the Fragus Exploit Kit to deliver payloads through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks that could lead to broader network compromise.

YARA Rule

rule fragus_js_quicktime : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "6bfc7bb877e1a79be24bd9563c768ffd"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "                setTimeout("
   $string1 = "wnd.location"
   $string2 = "window;"
   $string3 = "        var pls "
   $string4 = "        mem_flag "
   $string5 = ", 1500);} else{ PRyyt4O3wvgz(1);}"
   $string6 = "         } catch(e) { }"
   $string7 = " mem_flag) JP7RXLyEu();"
   $string8 = " 0x400000;"
   $string9 = "----------------------------------------------------------------------------------------------------"
   $string10 = "        heapBlocks "
   $string11 = "        return mm;"
   $string12 = "0x38);"
   $string13 = "        h();"
   $string14 = " getb(b,bSize);"
   $string15 = "getfile.php"
condition:
   15 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 16 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: Check for process.name containing “Veeam” or “backup” and ensure the process is initiated from a known backup server IP.

• Scenario: Admin task to update Microsoft Windows Update
  Filter/Exclusion: Filter out processes with process.name equal to “wusa.exe” or “WindowsUpdate.exe” and verify the update source is from Microsoft’s official update servers.

• Scenario: Legitimate use of PowerShell for script execution by system administrators
  Filter/Exclusion: Exclude processes where process.name is “powershell.exe” and the command line includes known admin scripts or is initiated from a trusted admin workstation.

• Scenario: Automated log collection using ELK Stack (Elasticsearch, Logstash, Kibana)
  Filter/Exclusion: Filter out processes with process.name containing “logstash” or “elasticsearch” and ensure they are running from a known log management server.

• Scenario: Use of Ansible for configuration management and patching
  Filter/Exclusion: Exclude processes with process.name containing “ansible” and verify the execution is from a known Ansible control node with authorized credentials.