The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised legitimate credentials to execute arbitrary code within an Azure environment. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage adversary activity that could lead to persistent access and data exfiltration.
YARA Rule
rule phoenix_html2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "2fd263f5d988a92715f4146a0006cb31"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "Pec.lilsD)E)i-gonP(mgge.eOmn"
$string1 = "(trt;oo"
$string2 = "aceeC:0h"
$string3 = "Vubb.oec.n)a."
$string4 = "t;o{(bspd}ci:0OO[g(cfjdh}1sN}ntnrlt;0pwf{-"
$string5 = "seierb)gMle(}ev;is{(b;ga"
$string6 = "e)}ift"
$string7 = "Dud{rt"
$string8 = "blecroeely}diuFI-"
$string9 = "ttec]tr"
$string10 = "fSgcso"
$string11 = "eig.t)eR{t}aeesbdtbl{1sr)m"
$string12 = ").}n,Raa.s"
$string13 = "sLtfcb.nrf{Wiantscncad1ac)scb0eo]}Diuu(nar"
$string14 = "dxc.,:tfr(ucxRn"
$string15 = "eDnnforbyri(tbmns).[i.ee;dl(aNimp(l(h[u[ti;u)"
$string16 = "}tn)i{ebr,_.ns(Nes,,gm(ar.t"
$string17 = "l]it}N(pe3,iaaLds.)lqea:Ps00Hc;[{Euihlc)LiLI"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a payload or modifying system settings.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or cron jobs that match the naming pattern of enterprise maintenance scripts (e.g., maintenance_cleanup_*.bat).
Scenario: Admin Performing Patch Management
Description: An administrator uses a tool like Windows Update or WSUS to deploy patches, which may involve downloading and executing temporary scripts or payloads.
Filter/Exclusion: Exclude IP addresses or hosts associated with internal patch management servers, or filter by process names like wuauclt.exe or wsusoffline.exe.
Scenario: Log Collection and Analysis Tool
Description: A tool like Splunk, ELK Stack, or Graylog is configured to collect and analyze logs, which may involve writing to or reading from system directories that resemble exploit kit activity.
Filter/Exclusion: Exclude processes related to log collection tools by their known process names or by filtering based on the user account (e.g., splunkuser or logstash).
Scenario: Software Update or Deployment via SCCM
Description: A System Center Configuration Manager (SCCM) deployment may involve executing scripts or installing packages that temporarily use similar network behavior to exploit kits.
Filter/Exclusion: Exclude traffic from SCCM distribution points or processes associated with ccmexec.exe and smsexec.exe.
Scenario: Database Backup and Restore Operation
Description: A database backup tool like SQL Server Backup Utility or mysqldump may perform operations that involve file system access or temporary file creation, which could be mistaken for exploit kit activity.