Fragus Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging the Fragus Exploit Kit to deliver payloads through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule fragus_js_vml : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "8ab72337c815e0505fcfbc97686c3562"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " 0x100000;"
$string1 = " var gg "
$string2 = "/g, document.getElementById('divid').innerHTML));"
$string3 = " var sss "
$string4 = " }"
$string5 = " document.body.appendChild(obj);"
$string6 = " var hbs "
$string7 = " shcode; }"
$string8 = " '<div id"
$string9 = " hbs - (shcode.length"
$string10 = "){ m[i] "
$string11 = " unescape(gg);"
$string12 = " var z "
$string13 = " var hb "
$string14 = " Math.ceil('0'"
condition:
14 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 15 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a file or executing a payload.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like schtasks.exe or Task Scheduler with names containing “maintenance”, “backup”, or “update”.
Scenario: Admin Performing Remote Code Execution (RCE) for Patching
Description: An administrator uses a tool like PsExec or Invoke-Command to execute a script on a remote machine as part of a patching process.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges and associated with known patching tools or scripts.
Scenario: Legitimate Software Update via PowerShell
Description: A company uses PowerShell scripts (e.g., Update-Package) to deploy software updates across the network, which may involve downloading and executing payloads.
Filter/Exclusion: Exclude PowerShell scripts executed from known update management tools like Chocolatey, WSUS, or SCCM, or those with execution paths in the corporate update directory.
Scenario: Log Collection and Analysis Tool (e.g., Splunk, ELK)
Description: A log analysis tool like Splunk or ELK Stack may execute scripts or binaries that resemble exploit kit behavior during log parsing or data ingestion.
Filter/Exclusion: Exclude processes originating from the log analysis tool’s installation directory or those associated with log ingestion services.
Scenario: Security Tool for Exploit Mitigation (e.g., Cisco AMP, CrowdStrike)
Description: A security tool may simulate exploit behavior to test or mitigate vulnerabilities, triggering the detection rule.
Filter/Exclusion: Exclude processes from known security tools like Cisco AMP, CrowdStrike, or `Microsoft Defender ATP