The hypothesis is that the detection identifies potential ZeroAccess Exploit Kit activity through suspicious network behavior indicative of C2 communication or payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by advanced threats leveraging this exploit kit.
YARA Rule
rule zeroaccess_css : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "4944324bad3b020618444ee131dce3d0"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "close-mail{right:130px "
$string1 = "ccc;box-shadow:0 0 5px 1px "
$string2 = "757575;border-bottom:1px solid "
$string3 = "777;height:1.8em;line-height:1.9em;display:block;float:left;padding:1px 15px;margin:0;text-shadow:-1"
$string4 = "C4C4C4;}"
$string5 = "999;-webkit-box-shadow:0 0 3px "
$string6 = "header div.service-links ul{display:inline;margin:10px 0 0;}"
$string7 = "t div h2.title{padding:0;margin:0;}.box5-condition-news h2.pane-title{display:block;margin:0 0 9px;p"
$string8 = "footer div.comp-info p{color:"
$string9 = "pcmi-listing-center .full-page-listing{width:490px;}"
$string10 = "pcmi-content-top .photo img,"
$string11 = "333;}div.tfw-header a var{display:inline-block;margin:0;line-height:20px;height:20px;width:120px;bac"
$string12 = "ay:none;text-decoration:none;outline:none;padding:4px;text-align:center;font-size:9px;color:"
$string13 = "333;}body.page-videoplayer div"
$string14 = "373737;position:relative;}body.node-type-video div"
$string15 = "pcmi-content-sidebara,.page-error-page "
$string16 = "fff;text-decoration:none;}"
$string17 = "qtabs-list li a,"
$string18 = "cdn2.dailyrx.com"
condition:
18 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 19 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running a system cleanup or patching tool (e.g., Windows Update, Microsoft Baseline Security Analyzer) may trigger the rule due to similar network behavior.
Filter/Exclusion: Exclude tasks associated with msiexec.exe, wuauclt.exe, or schtasks.exe with known maintenance job names.
Scenario: Internal Vulnerability Scanning Tool
Description: An internal security tool (e.g., Nessus, OpenVAS, or Qualys) performing a vulnerability scan may mimic exploit kit behavior by connecting to internal or external servers.
Filter/Exclusion: Exclude traffic from known internal security tools using their process names or IP ranges (e.g., nessusd, openvas, or qualys).
Scenario: Admin Performing Remote Desktop Protocol (RDP) Session
Description: An administrator using RDP to access a server may trigger the rule due to outbound connections to remote hosts.
Filter/Exclusion: Exclude connections initiated by mstsc.exe or tsclient.exe from known admin workstations.
Scenario: Software Update Distribution via Microsoft Endpoint Manager (MEM)
Description: A legitimate software update distribution via MEM may involve outbound connections to Microsoft servers, which could be flagged by the rule.
Filter/Exclusion: Exclude traffic from Microsoft Intune or MEM related processes (e.g., Microsoft.Intune.MAM or Microsoft.Endpoint.Manager) to known Microsoft update endpoints.
Scenario: Database Backup Job to Cloud Storage
Description: A database backup job (e.g., SQL Server Backup, MySQL Dump) transferring data to cloud storage (e.g., AWS S3, Azure Blob Storage) may trigger the rule due to outbound