The Sakura Exploit Kit may be used to deliver malicious payloads through compromised websites, indicating potential initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity before it leads to deeper network infiltration.
YARA Rule
rule sakura_jar2 : EK jar
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Sakura Exploit Kit Detection"
hash0 = "d21b4e2056e5ef9f9432302f445bcbe1"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "getProperty"
$string1 = "java/io/FileNotFoundException"
$string2 = "LLolp;"
$string3 = "cjhgreshhnuf "
$string4 = "StackMapTable"
$string5 = "onfwwa"
$string6 = "(C)Ljava/lang/StringBuilder;"
$string7 = "replace"
$string8 = "LEsia$fffgss;"
$string9 = "<clinit>"
$string10 = "()Ljava/io/InputStream;"
$string11 = "openConnection"
$string12 = " gjhgreshhnijhgreshhrtSjhgreshhot.sjhgreshhihjhgreshht;)"
$string13 = "Oi.class"
$string14 = " rjhgreshhorjhgreshhre rajhgreshhv"
$string15 = "java/lang/String"
$string16 = "java/net/URL"
$string17 = "Created-By: 1.7.0-b147 (Oracle Corporation)"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses curl or wget to fetch updates from an internal repository.
Filter/Exclusion: Exclude traffic to internal IP ranges or domains whitelisted in the enterprise’s update servers.
Scenario: Admin Performing Remote Code Execution (RCE) via SSH
Description: A system administrator uses SSH to execute a script on a remote server, which includes commands similar to those used by the Sakura Exploit Kit.
Filter/Exclusion: Exclude SSH traffic from known admin IP addresses or users with elevated privileges.
Scenario: Automated Security Tool Scanning for Vulnerabilities
Description: A tool like Nessus or OpenVAS is scanning the network and sending requests to internal hosts that resemble exploit kit traffic.
Filter/Exclusion: Exclude traffic from known security scanning tools or IP addresses associated with internal security teams.
Scenario: Legitimate Use of curl for API Integration
Description: A service like Postman or an internal API client uses curl to interact with a third-party service, triggering the same network patterns as the exploit kit.
Filter/Exclusion: Exclude traffic to known API endpoints or domains used by internal applications.
Scenario: User-Initiated File Transfer via scp or rsync
Description: A user transfers files using scp or rsync, which may include binary data that matches the exploit kit’s payload signatures.
Filter/Exclusion: Exclude traffic involving file transfers between known internal hosts or users with file transfer permissions.