The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised or unpatched systems to deploy payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage attacks and prevent lateral movement and data exfiltration.
YARA Rule
rule phoenix_html7 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "f0e1b391ec3ce515fd617648bec11681"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "EBF0a0001B05D266503046C7A491A0C00044F0002035D0D0twl''WIN"
$string1 = "ah80672528657"
$string2 = "n);tctt)Eltc(Dj"
$string3 = ";cnt2<tEf"
$string4 = "iwkne){bvfvgzg5"
$string5 = "..'an{ea-Ect'8-huJ.)/l'/tCaaa}<Ct95l"
$string6 = "'WIWhaFtF662F6577IseFe427347637"
$string7 = "ddTh75e{"
$string8 = "Ae'n,,9"
$string9 = "%E7E3Vemtyi"
$string10 = "cf'treran"
$string11 = "ncBcaocta.ye"
$string12 = ")'0,p8k"
$string13 = "0;{tc4F}c;eptdpduoCuuedPl80evD"
$string14 = "iq,q,Nd(nccfr'Bearc'nBtpw"
$string15 = ";)npeits0e.uvhF$I'"
$string16 = "nvasai0.-"
$string17 = "lmzv'is'"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a system cleanup or patching tool (e.g., Windows Update, Microsoft Baseline Security Analyzer, or WSUS) that may trigger network activity resembling exploit kit behavior.
Filter/Exclusion: Exclude traffic originating from known system maintenance tools or processes (e.g., svchost.exe, wuauserv, msiexec.exe) or filter by IP ranges associated with internal patch management servers.
Scenario: Admin Access via Remote Desktop (RDP)
Description: An administrator connects to a server using RDP, and the connection is flagged due to unusual outbound traffic or command execution patterns.
Filter/Exclusion: Exclude RDP sessions by checking the source IP against a list of known admin IPs or by filtering traffic based on the rdp protocol and port 3389.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool (e.g., Microsoft Defender, Kaspersky, Bitdefender) performs a full system scan, which may result in outbound traffic to cloud-based threat intelligence services.
Filter/Exclusion: Exclude traffic from known security software processes (e.g., MsMpEng.exe, avgnt.exe, kavsvc.exe) or filter based on known C2 domains used by legitimate security tools.
Scenario: Internal Code Signing or Certificate Management
Description: A certificate authority (CA) or code-signing tool (e.g., Microsoft Certificate Services, OpenSSL, Signtool) generates or signs code, which may involve outbound communication to external services.
Filter/Exclusion: Exclude traffic from known CA or code-signing tools by process name or by filtering against internal CA IP ranges.
**Scenario: Database Backup or Replication Task