ZeroAccess Exploit Kit Detection

Hunt Hypothesis

The hypothesis is that the detection identifies potential ZeroAccess Exploit Kit activity through suspicious network behavior indicative of exploit kit infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by known malicious exploit kits.

YARA Rule

rule zeroaccess_js4 : EK js
{
meta:
   author = "Josh Berry"
   date = "2016-06-27"
   description = "ZeroAccess Exploit Kit Detection"
   hash0 = "268ae96254e423e9d670ebe172d1a444"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = ").join("
   $string1 = "JSON.stringify:function(o){if(o"
   $string2 = "){try{var a"
   $string3 = ");return $.jqotecache[i]"
   $string4 = "o.getUTCFullYear(),hours"
   $string5 = "seconds"
   $string6 = "')');};$.secureEvalJSON"
   $string7 = "isFinite(n);},secondsToTime:function(sec_numb){sec_numb"
   $string8 = "')');}else{throw new SyntaxError('Error parsing JSON, source is not valid.');}};$.quoteString"
   $string9 = "o[name];var ret"
   $string10 = "a[m].substr(2)"
   $string11 = ");if(d){return true;}}}catch(e){return false;}}"
   $string12 = "a.length;m<k;m"
   $string13 = "if(parentClasses.length"
   $string14 = "o.getUTCHours(),minutes"
   $string15 = "$.jqote(e,d,t),$$"
   $string16 = "q.test(x)){e"
   $string17 = "{};HGWidget.creator"
condition:
   17 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 18 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: process.name != "vbm" AND process.name != "vagent"
  Rationale: Veeam may execute scripts or binaries that resemble exploit kit behavior during backups.

• Scenario: Administrative task to update endpoint protection software (e.g., Microsoft Defender Antivirus update)
  Filter/Exclusion: process.name != "MsMpEng.exe"
  Rationale: Defender’s update process may trigger similar network activity as ZeroAccess.

• Scenario: Legitimate use of PowerShell for automated configuration management (e.g., Invoke-Command for patching)
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "*Invoke-Command*"
  Rationale: PowerShell scripts used for patching or configuration may mimic exploit kit payloads.

• Scenario: Execution of Windows Task Scheduler job for log rotation or cleanup
  Filter/Exclusion: process.name != "schtasks.exe"
  Rationale: Scheduled tasks may execute scripts or binaries that resemble malicious activity.

• Scenario: Use of Ansible or Chef for configuration management and deployment
  Filter/Exclusion: process.name != "ansible" AND process.name != "chef-client"
  Rationale: These tools may execute scripts or binaries that could be flagged by the detection rule.