The BleedingLife2 Exploit Kit Detection identifies potential exploitation attempts by malicious actors using this specific exploit kit to compromise endpoints, often as part of broader malware campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage attacks and prevent lateral movement and data exfiltration.
YARA Rule
rule bleedinglife2_java_2010_0842_exploit : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "BleedingLife2 Exploit Kit Detection"
hash0 = "b14ee91a3da82f5acc78abd10078752e"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0"
$string1 = "ToolsDemo.classPK"
$string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5"
$string3 = "Created-By: 1.6.0_22 (Sun Microsystems Inc.)"
$string4 = "META-INF/PK"
$string5 = "ToolsDemo.class"
$string6 = "META-INF/services/PK"
$string7 = "ToolsDemoSubClass.classPK"
$string8 = "META-INF/MANIFEST.MFPK"
$string9 = "ToolsDemoSubClass.classeN"
condition:
9 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a file or executing a payload.
Filter/Exclusion: Check for taskname containing “SystemMaintenance” or “PatchManagement” and exclude processes initiated by the Task Scheduler service.
Scenario: Admin Performing Remote Code Execution (RCE) via PowerShell
Description: An administrator uses PowerShell to execute a script for system configuration, which may trigger the same network activity as the exploit kit.
Filter/Exclusion: Exclude processes with ProcessName “powershell.exe” where the command line includes “Invoke-Command” or “Start-Process” with known admin scripts.
Scenario: Software Update Deployment via SCCM
Description: A Software Center or Configuration Manager (SCCM) update deployment downloads a payload that matches the exploit kit’s network signature.
Filter/Exclusion: Exclude traffic from the SCCM client (ProcessName “ccmexec.exe”) or IP ranges associated with the organization’s internal update servers.
Scenario: Log Collection and Analysis Tool (e.g., Splunk, ELK) Processing Logs
Description: A log analysis tool temporarily executes a script that generates network traffic similar to exploit kit behavior.
Filter/Exclusion: Exclude processes with ProcessName “splunkd.exe” or “logstash” and filter by known log processing IP ranges.
Scenario: Internal Penetration Test Using Mimikatz or Cobalt Strike
Description: A red team or security team uses tools like Mimikatz or Cobalt Strike to simulate attack vectors, which may trigger the same detection logic.
Filter/Exclusion: Exclude processes with ProcessName “mimikatz.exe” or “cobaltstrike.exe” and filter by user accounts