The 0x88 Exploit Kit Detection identifies potential exploitation attempts by malicious actors using a known exploit kit to compromise endpoints, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage attacks before they escalate.
YARA Rule
rule zerox88_js2
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "0x88 Exploit Kit Detection"
hash0 = "cad8b652338f5e3bc93069c8aa329301"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "function gSH() {"
$string1 = "200 HEIGHT"
$string2 = "'sh.js'><\\/SCRIPT>"
$string3 = " 2 - 26;"
$string4 = "<IFRAME ID"
$string5 = ",100);"
$string6 = "200></IFRAME>"
$string7 = "setTimeout("
$string8 = "'about:blank' WIDTH"
$string9 = "mf.document.write("
$string10 = "document.write("
$string11 = "Kasper "
condition:
11 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Legitimate system update using Microsoft Update
Filter/Exclusion: process.parent_process_name == "svchost.exe" && process.name == "wusa.exe" && process.command_line contains "MicrosoftUpdate"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name == "veeambackup.exe" && process.command_line contains "backup" && process.parent_process_name == "services.exe"
Scenario: Admin task using PowerShell for log analysis
Filter/Exclusion: process.name == "powershell.exe" && process.command_line contains "Get-EventLog" || "Get-Event" && process.user == "DOMAIN\AdminUser"
Scenario: Antivirus scan using Bitdefender
Filter/Exclusion: process.name == "bdagent.exe" && process.command_line contains "scan" && process.parent_process_name == "services.exe"
Scenario: Database maintenance task using SQL Server Agent
Filter/Exclusion: process.name == "sqlservr.exe" && process.parent_process_name == "sqlagent.exe" && process.command_line contains "maintenance"