The Phoenix Exploit Kit Detection rule identifies potential exploitation attempts by malicious actors leveraging the Phoenix Exploit Kit to deliver payloads through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule phoenix_html4 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "61fde003211ac83c2884fbecefe1fc80"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "/dr.php"
$string1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$string2 = "launchjnlp"
$string3 = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"
$string4 = "urlmon.dll"
$string5 = "<body>"
$string6 = " docbase"
$string7 = "</html>"
$string8 = " classid"
$string9 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$string10 = "63AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$string11 = "</object>"
$string12 = "application/x-java-applet"
$string13 = "java_obj"
condition:
13 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that temporarily loads a DLL or executes a command similar to those used by the Phoenix Exploit Kit.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with names containing “maintenance”, “backup”, or “update”.
Scenario: Admin Performing PowerShell Script for Patch Management
Description: An administrator uses PowerShell to run a script that downloads and executes a payload, which may trigger the rule due to similar command patterns.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -File or paths to known patch management tools like WindowsUpdate.exe or WSUS.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job executes a backup script that includes command-line arguments resembling exploit kit behavior.
Filter/Exclusion: Exclude processes with sqlservr.exe or sqlagent.exe, and filter by command lines containing BACKUP DATABASE or sqlcmd.
Scenario: Network Monitoring Tool Performing Traffic Analysis
Description: A network monitoring tool like Wireshark or tcpdump captures and analyzes traffic, which may include patterns that match the exploit kit’s C2 communication.
Filter/Exclusion: Exclude processes related to wireshark.exe, tcpdump.exe, or nmap.exe, and filter by traffic originating from known monitoring tools or internal network interfaces.
Scenario: Security Tool Performing Endpoint Detection and Response (EDR) Actions
Description: An EDR tool like CrowdStrike or Microsoft Defender performs actions that may trigger the rule due to similar process creation or network activity.
Filter/Exclusion: Exclude processes with mpengine.exe, CrowdStrike, or microsoft defender and filter