The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised legitimate credentials to execute arbitrary code within an Azure environment. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage adversary activity that could lead to persistent access and data exfiltration.
YARA Rule
rule phoenix_jar2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "989c5b5eaddf48010e62343d7a4db6f4"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "a66d578f084.classeQ"
$string1 = "a4cb9b1a8a5.class"
$string2 = ")szNu\\MutK"
$string3 = "qCCwBU"
$string4 = "META-INF/MANIFEST.MF"
$string5 = "QR,GOX"
$string6 = "ab5601d4848.classmT"
$string7 = "a6a7a760c0e["
$string8 = "2ZUK[L"
$string9 = "2VT(Au5"
$string10 = "a6a7a760c0ePK"
$string11 = "aa79d1019d8.class"
$string12 = "aa79d1019d8.classPK"
$string13 = "META-INF/MANIFEST.MFPK"
$string14 = "ab5601d4848.classPK"
condition:
14 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 15 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate system maintenance job (e.g., schtasks.exe or task scheduler) runs a script that temporarily loads a DLL or executes a command that resembles exploit kit behavior.
Filter/Exclusion: Check for process.parent.name == "schtasks.exe" or process.name == "taskhost.exe" and exclude known maintenance scripts.
Scenario: PowerShell Script for Configuration Management
Description: A PowerShell script (e.g., PowerShell.exe) used for configuration management (e.g., deploying updates via PSConfig.exe or Group Policy) triggers the same detection logic due to similar command-line arguments.
Filter/Exclusion: Filter by process.name == "PowerShell.exe" and check for known configuration management tools in the command line.
Scenario: Admin Task Using msiexec.exe for Software Deployment
Description: An admin task using msiexec.exe to deploy software may trigger the rule due to similar process behavior or command-line arguments.
Filter/Exclusion: Filter by process.name == "msiexec.exe" and check for known deployment packages or paths.
Scenario: Database Backup Job Using sqlcmd.exe
Description: A database backup job using sqlcmd.exe might trigger the rule if the command line includes parameters that resemble exploit kit activity.
Filter/Exclusion: Filter by process.name == "sqlcmd.exe" and check for known backup scripts or paths.
Scenario: Antivirus or EDR Tool Performing a Scan
Description: A legitimate antivirus or EDR tool (e.g., Microsoft Defender, Bitdefender, or CrowdStrike) may trigger the rule during a scan due to similar process behavior.
Filter/Exclusion: Filter by `