The Eleonore Exploit Kit Detection rule identifies potential exploitation attempts by malicious payloads commonly associated with the Eleonore exploit kit, which is known for delivering malware through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts by sophisticated adversaries leveraging this kit.
YARA Rule
rule eleonore_jar2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "94e99de80c357d01e64abf7dc5bd0ebd"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0"
$string1 = "wPVvVyz"
$string2 = "JavaFX.class"
$string3 = "{%D@'\\"
$string4 = "JavaFXColor.class"
$string5 = "bWxEBI}Y"
$string6 = "$(2}UoD"
$string7 = "j%4muR"
$string8 = "vqKBZi"
$string9 = "l6gs8;"
$string10 = "JavaFXTrueColor.classeSKo"
$string11 = "ZyYQx "
$string12 = "META-INF/"
$string13 = "JavaFX.classPK"
$string14 = ";Ie8{A"
condition:
14 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 15 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that uses curl or wget to fetch updates from an internal repository.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known internal update URL.
Scenario: Admin Performing Remote Code Execution (RCE) via PowerShell
Description: An administrator uses PowerShell to execute a remote script for patching or configuration management.
Filter/Exclusion: Exclude processes initiated by powershell.exe with a command line containing -Command and a known internal script source.
Scenario: Software Update Deployment via Configuration Management Tool
Description: A tool like Ansible or Puppet deploys updates to multiple hosts, which may involve downloading files from a trusted internal server.
Filter/Exclusion: Exclude processes initiated by Ansible (ansible) or Puppet (puppet) with a destination IP in the internal network.
Scenario: Log Collection and Analysis Tool Fetching Logs
Description: A tool like Splunk or ELK Stack fetches logs from remote servers for centralized analysis.
Filter/Exclusion: Exclude processes initiated by Splunk (splunkd) or Fluentd with a destination IP in the internal network.
Scenario: Database Backup Job Using External Script
Description: A database backup job uses a script to export data to a remote storage system, which may involve network traffic resembling malicious activity.
Filter/Exclusion: Exclude processes initiated by sqlbackup.exe or mysqldump with a known backup server IP.