The detection identifies potential exploitation attempts by the CrimePack Exploit Kit, which is commonly used to deliver malware and compromise systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they lead to data exfiltration or system compromise.
YARA Rule
rule crimepack_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "CrimePack Exploit Kit Detection"
hash0 = "d48e70d538225bc1807842ac13a8e188"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "r.JM,IM"
$string1 = "cpak/Crimepack$1.classPK"
$string2 = "cpak/KAVS.classPK"
$string3 = "cpak/KAVS.classmQ"
$string4 = "cpak/Crimepack$1.classmP[O"
$string5 = "META-INF/MANIFEST.MF"
$string6 = "META-INF/MANIFEST.MFPK"
condition:
6 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a file or executing a payload.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or Windows Update, using the task_name or process_name field.
Scenario: Admin Performing Remote Code Execution (RCE) for Patching
Description: An administrator uses a tool like PsExec or WinRM to execute a script remotely to apply patches or updates.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges, using the user field and checking for known admin tools in the process_name field.
Scenario: Security Tool Performing Active Scanning
Description: A security tool like Nessus or OpenVAS performs active scanning and triggers network activity similar to exploit kit behavior.
Filter/Exclusion: Exclude traffic from known security tools using the process_name or destination_port field, such as port 8888 for some vulnerability scanners.
Scenario: Legitimate Software Update via PowerShell
Description: A PowerShell script is used to download and install a software update from a trusted source, which may involve downloading files or executing scripts.
Filter/Exclusion: Exclude PowerShell scripts initiated by known update mechanisms, using the process_name field and checking for trusted domains or IP ranges in the destination_ip or destination_domain field.
Scenario: Database Backup Job with Network Transfer
Description: A database backup job (e.g., using SQL Server Backup or MySQL Dump) transfers data over the network, which may resemble exploit kit network activity.
Filter/Exclusion: Exclude network traffic associated with known backup tools, using