← Back to SOC feed Coverage →

Phoenix Exploit Kit Detection

yara LOW Yara-Rules
communityexploit
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-05-11T11:00:00Z · Confidence: medium

Hunt Hypothesis

The Phoenix Exploit Kit Detection rule identifies potential exploitation attempts by malicious actors leveraging compromised credentials or misconfigured services to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversary activity that could lead to persistent access or data exfiltration.

YARA Rule

rule phoenix_jar : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Phoenix Exploit Kit Detection"
   hash0 = "a8a18219b02d30f44799415ff19c518e"
   sample_filetype = "unknown"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "r.JM,IM"
   $string1 = "qX$8$a"
   $string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5"
   $string3 = "a.classPK"
   $string4 = "6;\\Q]Q"
   $string5 = "h[s] X"
   $string6 = "ToolsDemoSubClass.classPK"
   $string7 = "a.class"
   $string8 = "META-INF/MANIFEST.MFPK"
   $string9 = "ToolsDemoSubClass.classeO"
   $string10 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProviderPK"
condition:
   10 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 11 string patterns in its detection logic.

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/exploit_kits/EK_Phoenix.yar