The BleedingLife2 Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised websites to deliver payloads, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks before they escalate.
YARA Rule
rule bleedinglife2_adobe_2010_2884_exploit : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "BleedingLife2 Exploit Kit Detection"
hash0 = "b22ac6bea520181947e7855cd317c9ac"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "_autoRepeat"
$string1 = "embedFonts"
$string2 = "KeyboardEvent"
$string3 = "instanceStyles"
$string4 = "InvalidationType"
$string5 = "autoRepeat"
$string6 = "getScaleX"
$string7 = "RadioButton_selectedDownIcon"
$string8 = "configUI"
$string9 = "deactivate"
$string10 = "fl.controls:Button"
$string11 = "_mouseStateLocked"
$string12 = "fl.core.ComponentShim"
$string13 = "toString"
$string14 = "_group"
$string15 = "addRadioButton"
$string16 = "inCallLaterPhase"
$string17 = "oldMouseState"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a file or executing a payload.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or PowerShell scripts with schtasks.exe or powershell.exe in the command line.
Scenario: Admin Performing Remote Code Execution (RCE) via PowerShell
Description: An administrator uses PowerShell to remotely execute commands on a managed system as part of routine system administration.
Filter/Exclusion: Exclude processes initiated by powershell.exe with the -Command flag and originating from known admin tools or IP ranges used for legitimate remote management.
Scenario: Software Update Deployment via Configuration Management Tool
Description: A configuration management tool like Puppet or Ansible deploys updates that temporarily use similar network behavior to exploit kits.
Filter/Exclusion: Exclude traffic from known configuration management tools (e.g., puppet, ansible, chef) or processes with known update-related command-line arguments.
Scenario: Security Tool Performing Active Scanning
Description: A security tool like Nessus or Qualys performs active scanning, which may trigger similar network activity to exploit kits.
Filter/Exclusion: Exclude processes related to known security scanning tools (e.g., nessuscli, qualyscli) or network traffic from known security tool IP ranges.
Scenario: Internal Monitoring Tool Mimicking Exploit Behavior
Description: An internal monitoring or logging tool (e.g., Splunk, ELK Stack) may perform actions that resemble exploit kit behavior, such as downloading payloads for analysis.
Filter/Exclusion: Exclude processes associated with known monitoring tools (e.g., splunkd, logstash, `filebeat