The BleedingLife2 Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised websites to deliver malware payloads, indicating possible initial compromise of web assets. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks that could lead to broader network infiltration.
YARA Rule
rule bleedinglife2_jar2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "BleedingLife2 Exploit Kit Detection"
hash0 = "2bc0619f9a0c483f3fd6bce88148a7ab"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "META-INF/MANIFEST.MFPK"
$string1 = "RequiredJavaComponent.classPK"
$string2 = "META-INF/JAVA.SFm"
$string3 = "RequiredJavaComponent.class"
$string4 = "META-INF/MANIFEST.MF"
$string5 = "META-INF/JAVA.DSAPK"
$string6 = "META-INF/JAVA.SFPK"
$string7 = "5EVTwkx"
$string8 = "META-INF/JAVA.DSA3hb"
$string9 = "y\\Dw -"
condition:
9 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate system maintenance job (e.g., schtasks.exe or Task Scheduler) runs a script that matches the exploit kit’s behavior, such as downloading a file or modifying registry keys.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with known maintenance task names, e.g., TaskScheduler or schtasks.exe with a command line containing /create or /run.
Scenario: Admin Tool for Patch Management
Description: An admin tool like Windows Update or WSUS (Windows Server Update Services) may trigger similar network activity when downloading patches or updates.
Filter/Exclusion: Exclude traffic from known patch management systems, such as wsus or wuauserv, or filter by IP addresses associated with Microsoft update servers.
Scenario: Log Management Tool Configuration
Description: A log management tool like Splunk or ELK Stack may perform file system operations (e.g., copy, move, or delete) that could be mistaken for exploit kit activity.
Filter/Exclusion: Exclude processes running under the Splunk or ELK Stack service accounts, or filter by known log management tool binaries such as splunkd.exe or logstash.
Scenario: Database Backup Job
Description: A database backup job (e.g., sqlbackup.exe or mysqldump) may involve file system or network activity that resembles exploit kit behavior.
Filter/Exclusion: Exclude processes associated with known backup tools, such as sqlbackup.exe, mysqldump, or pg_dump, and filter by known backup directories or network destinations.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like `Microsoft Defender