CrimePack Exploit Kit Detection

Hunt Hypothesis

The detection identifies potential CrimePack Exploit Kit activity through suspicious network traffic patterns indicative of malicious payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by known exploit kits.

YARA Rule

rule crimepack_jar3 : EK
{
meta:
	author = "Josh Berry"
	date = "2016-06-26"
	description = "CrimePack Exploit Kit Detection"
	hash0 = "40ed977adc009e1593afcb09d70888c4"
	sample_filetype = "unknown"
	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
	$string0 = "payload.serPK"
	$string1 = "vE/JD[j"
	$string2 = "payload.ser["
	$string3 = "Exploit$2.classPK"
	$string4 = "Exploit$2.class"
	$string5 = "Ho((i/"
	$string6 = "META-INF/MANIFEST.MF"
	$string7 = "H5641Yk"
	$string8 = "Exploit$1.classPK"
	$string9 = "Payloader.classPK"
	$string10 = "%p6$MCS"
	$string11 = "Exploit$1$1.classPK"
condition:
	11 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 12 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: Check for process.name containing “Veeam” or “backup” and filter out processes initiated by the backup service account.

• Scenario: Admin performing a PowerShell-based system cleanup using PowerShell.exe
  Filter/Exclusion: Filter out processes where process.name is “PowerShell.exe” and process.parent.name is “Windows PowerShell” or “Task Scheduler”.

• Scenario: Automated patch deployment via SCCM (System Center Configuration Manager)
  Filter/Exclusion: Exclude processes with process.name containing “ccmexec” or “sccm” and check for known SCCM service accounts.

• Scenario: Legitimate use of Wazuh agent for log collection and monitoring
  Filter/Exclusion: Filter out processes with process.name containing “wazuh” or “agent” and verify the process is running under the Wazuh service account.

• Scenario: Running a security scan with Nessus or OpenVAS
  Filter/Exclusion: Exclude processes with process.name containing “nessus” or “openvas” and check for execution context under the security scanning service account.