The BleedingLife2 Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised websites to deliver payloads, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks before they escalate.
YARA Rule
rule bleedinglife2_adobe_2010_1297_exploit : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "BleedingLife2 Exploit Kit Detection"
hash0 = "8179a7f91965731daa16722bd95f0fcf"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "getSharedStyle"
$string1 = "currentCount"
$string2 = "String"
$string3 = "setSelection"
$string4 = "BOTTOM"
$string5 = "classToInstancesDict"
$string6 = "buttonDown"
$string7 = "focusRect"
$string8 = "pill11"
$string9 = "TEXT_INPUT"
$string10 = "restrict"
$string11 = "defaultButtonEnabled"
$string12 = "copyStylesToChild"
$string13 = " xmlns:xmpMM"
$string14 = "_editable"
$string15 = "classToDefaultStylesDict"
$string16 = "IMEConversionMode"
$string17 = "Scene 1"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: System update or patching process using WSUS (Windows Server Update Services)
Filter/Exclusion: Check for ProcessName = "wuauclt.exe" or CommandLine contains "wusa.exe" with Argument contains "/quiet" or Argument contains "/norestart"
Scenario: Scheduled job running PowerShell scripts for system maintenance or configuration management
Filter/Exclusion: Filter by ProcessName = "powershell.exe" and CommandLine contains "Invoke-Command" or CommandLine contains "Start-Process" with known legitimate script paths
Scenario: Logon scripts executing during user login to configure environment variables or install tools
Filter/Exclusion: Check for ProcessName = "cmd.exe" or ProcessName = "explorer.exe" with CommandLine contains "logon.bat" or CommandLine contains "userinit.exe"
Scenario: Remote Desktop Services (RDS) session initialization triggering background processes
Filter/Exclusion: Filter by ProcessName = "mstsc.exe" or ProcessName = "tscon.exe" and check for ParentProcessName = "services.exe" or ParentProcessName = "rdpclip.exe"
Scenario: System configuration tool like Group Policy Preferences (GPP) deploying settings or scripts
Filter/Exclusion: Check for ProcessName = "gpupdate.exe" or ProcessName = "gpreference.exe" and verify CommandLine contains "/force" or CommandLine contains "/target" with valid GPP paths