The Eleonore Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised websites to deliver payloads, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks before they escalate.
YARA Rule
rule eleonore_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "ad829f4315edf9c2611509f3720635d2"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "r.JM,IM"
$string1 = "dev/s/DyesyasZ.classPK"
$string2 = "k4kjRv"
$string3 = "dev/s/LoaderX.class}V[t"
$string4 = "dev/s/PK"
$string5 = "Hsz6%y"
$string6 = "META-INF/MANIFEST.MF"
$string7 = "dev/PK"
$string8 = "dev/s/AdgredY.class"
$string9 = "dev/s/DyesyasZ.class"
$string10 = "dev/s/LoaderX.classPK"
$string11 = "eS0L5d"
$string12 = "8E{4ON"
condition:
12 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm.exe" or process.name != "vagent.exe"
Scenario: Admin performing a PowerShell-based system cleanup using Microsoft’s cleanmgr.exe
Filter/Exclusion: process.name != "cleanmgr.exe" or process.name != "powershell.exe" with a whitelist of known safe PowerShell scripts
Scenario: Database maintenance task using SQL Server Agent job
Filter/Exclusion: process.name != "sqlservr.exe" or process.name != "sqlagent.exe" with a check for known SQL maintenance scripts
Scenario: User running a legitimate exploit mitigation tool like Cisco’s Talos Intelligence Platform
Filter/Exclusion: process.name != "talos-intel.exe" or process.name != "talos-intel-service.exe"
Scenario: System update via Windows Update using wuauclt.exe
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "svchost.exe" with a check for known Windows Update processes