The hypothesis is that the detection identifies potential exploitation attempts by the BlackHole2 Exploit Kit, which is commonly used to deliver malware through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they lead to data exfiltration or system compromise.
YARA Rule
rule blackhole2_htm11 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "e89b56df597688c489f06a0a6dd9efed"
hash1 = "06ba331ac5ae3cd1986c82cb1098029e"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash3 = "7cbb58412554327fe8b643204a046e2b"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash0 = "e89b56df597688c489f06a0a6dd9efed"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash7 = "530d31a0c45b79c1ee0c5c678e242c02"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "></th><th><a href"
$string1 = "/icons/back.gif"
$string2 = ">Description</a></th></tr><tr><th colspan"
$string3 = "nbsp;</td><td align"
$string4 = "nbsp;</td></tr>"
$string5 = "> - </td><td>"
$string6 = "-//W3C//DTD HTML 3.2 Final//EN"
$string7 = "<h1>Index of /dummy</h1>"
$string8 = ">Size</a></th><th><a href"
$string9 = " </head>"
$string10 = "/icons/blank.gif"
$string11 = "><hr></th></tr>"
condition:
11 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: A system administrator is using Microsoft Baseline Security Analyzer (MBSA) to perform a security scan and generates a report that includes BlackHole2-related artifacts.
Filter/Exclusion: Check for the presence of mbsa.exe or mbsacli.exe in the process tree or command line arguments.
Scenario: A scheduled backup job using Veeam Backup & Replication is executing and temporarily creates files with names similar to BlackHole2 exploit kit payloads.
Filter/Exclusion: Exclude processes associated with veeam.exe or check for the presence of backup in the command line or process description.
Scenario: A Windows Update task is running and downloads a file that matches a known BlackHole2 signature due to a false positive in the antivirus database.
Filter/Exclusion: Exclude files downloaded by wuauclt.exe or check for the presence of Windows Update in the process name or command line.
Scenario: A network monitoring tool like Wireshark is capturing traffic that includes BlackHole2-related payloads for analysis, leading to a false positive.
Filter/Exclusion: Exclude processes associated with wireshark.exe or filter traffic based on known monitoring tool IP ranges or ports.
Scenario: A system diagnostic tool such as Sysinternals Process Explorer is being used to analyze processes, and it generates log entries that match BlackHole2 patterns.
Filter/Exclusion: Exclude processes with procexp.exe or Process Explorer in the process name or command line.