The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised or misconfigured Azure resources to deploy payloads. SOC teams should proactively hunt for this behavior to detect early-stage adversary activity and prevent lateral movement or data exfiltration in their Azure Sentinel environment.
YARA Rule
rule phoenix_html : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "8395f08f1371eb7b2a2e131b92037f9a"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string1 = "'></applet><body id"
$string2 = "<applet mayscript"
$string3 = "/gmi,String.fromCharCode(2"
$string4 = "/gmi,' ').replace(/"
$string5 = "pe;i;;.j1s->c"
$string6 = "es4Det"
$string7 = "<textarea>function"
$string8 = ".replace(/"
$string9 = ".jar' code"
$string10 = ";iFc;ft'b)h{s"
condition:
10 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that uses curl or wget to download a file from an internal or external server, which may resemble the behavior of the Phoenix Exploit Kit.
Filter/Exclusion: Exclude traffic from known internal servers or IP ranges, or filter by process.name to exclude cron, systemd, or task scheduler processes.
Scenario: Software Update via Proxy
Description: A system administrator uses a proxy to download a software update from a third-party repository, which may trigger the rule due to similar network behavior.
Filter/Exclusion: Exclude traffic to known update servers (e.g., updates.example.com) or filter by process.name to exclude yum, apt, or choco processes.
Scenario: Admin Performing Remote Code Execution (RCE) via SSH
Description: An admin uses SSH to execute a remote command on a server, which may be flagged due to the presence of suspicious command-line arguments or file downloads.
Filter/Exclusion: Exclude SSH traffic by source.ip or destination.ip of known admin hosts, or filter by process.name to exclude ssh or bash processes.
Scenario: Legitimate File Transfer Using PowerShell
Description: A PowerShell script is used to transfer files between servers in a secure environment, which may be flagged due to the use of Invoke-WebRequest or DownloadFile.
Filter/Exclusion: Exclude traffic to internal file servers or filter by process.name to exclude powershell.exe when running known administrative scripts.
Scenario: Security Tool Performing Network Scanning
Description: A network scanning tool like nmap or Masscan is used to scan internal networks, which may trigger