ZeroAccess Exploit Kit Detection

Hunt Hypothesis

The hypothesis is that the detection identifies potential ZeroAccess Exploit Kit activity through suspicious network behavior indicative of exploit kit infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by known malicious exploit kits.

YARA Rule

rule zeroaccess_js3 : EK js
{
meta:
   author = "Josh Berry"
   date = "2016-06-27"
   description = "ZeroAccess Exploit Kit Detection"
   hash0 = "5f13fdfb53a3e60e93d7d1d7bbecff4f"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "document.createDocumentFragment();img.src"
   $string1 = "typeOf(events)"
   $string2 = "var i,x,y,ARRcookies"
   $string3 = "callbacks.length;j<l;j"
   $string4 = "encodeURIComponent(value);if(options.domain)value"
   $string5 = "event,HG.components.get('windowEvent_'"
   $string6 = "'read'in Cookie){return Cookie.read(c_name);}"
   $string7 = "item;},get:function(name,def){return HG.components.exists(name)"
   $string8 = "){window.addEvent(windowEvents[i],function(){var callbacks"
   $string9 = "reunload:function(callback){HG.events.add('beforeunload',callback);},add:function(event,callback){HG"
   $string10 = "name){if(HG.components.exists(name)){delete HG.componentList[name];}}},util:{uuid:function(){return'"
   $string11 = "window.HG"
   $string12 = "x.replace(/"
   $string13 = "encodeURIComponent(this.attr[key]));}"
   $string14 = "options.domain;if(options.path)value"
   $string15 = "this.page_sid;this.attr.user_sid"
condition:
   15 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 16 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance task using task scheduler to run a legitimate script
  Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.parent_process_path:"C:\\Windows\\System32\\taskschd.exe"

• Scenario: Admin performing a software update using Windows Update or WSUS
  Filter/Exclusion: process.name:"wusa.exe" or process.name:"wuauclt.exe" or process.parent_process_name:"Windows Update"

• Scenario: Database backup job using SQL Server Agent or MySQL scheduled task
  Filter/Exclusion: process.name:"sqlservr.exe" or process.name:"mysqld.exe" or process.parent_process_name:"SQL Server Agent"

• Scenario: IT staff using PowerShell to automate configuration management (e.g., PSConfig or DSC)
  Filter/Exclusion: process.name:"powershell.exe" with process.command_line:"-Command" or process.command_line:"PSConfig"

• Scenario: Legitimate use of wget or curl for downloading software updates or patches
  Filter/Exclusion: process.name:"wget.exe" or process.name:"curl.exe" with process.command_line:"--output" or process.command_line:"-O"