The Eleonore Exploit Kit Detection rule identifies potential exploitation attempts by malicious JavaScript payloads commonly associated with the Eleonore exploit kit, which is used to deliver malware through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise attempts and prevent lateral movement and data exfiltration.
YARA Rule
rule eleonore_js2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "2f5ace22e886972a8dccc6aa5deb1e79"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "var dfshk "
$string1 = "arrow_next_down"
$string2 = "return eval('yiyr.replac'"
$string3 = "arrow_next_over"
$string4 = "arrow_prev_over"
$string5 = "xcCSSWeekdayBlock"
$string6 = "xcCSSHeadBlock"
$string7 = "xcCSSDaySpecial"
$string8 = "xcCSSDay"
$string9 = " window[df "
$string10 = "day_special"
$string11 = "var df"
$string12 = "function jklsdjfk() {"
$string13 = " sdjd "
$string14 = "'e(/kljf hdfk sdf/g,fjkhd);');"
$string15 = "arrow_next"
condition:
15 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 16 string patterns in its detection logic.
Scenario: Legitimate JavaScript-based Reporting Tool Usage
Description: A system administrator uses a legitimate JavaScript-based reporting tool (e.g., Tableau, Power BI, or Google Data Studio) that includes JavaScript payloads for data visualization.
Filter/Exclusion: Check for known legitimate reporting tools in the process tree or file paths, and exclude files located in the tool’s installation directory (e.g., C:\Program Files\Tableau\).
Scenario: Scheduled System Maintenance Job
Description: A scheduled job runs a script that includes JavaScript to perform system maintenance tasks (e.g., log cleanup, disk defragmentation, or registry optimization).
Filter/Exclusion: Exclude files with known maintenance scripts (e.g., C:\Windows\System32\schedtasks.js) or filter by process name (e.g., schtasks.exe).
Scenario: Admin Task Using JavaScript for Automation
Description: An administrator uses a JavaScript-based automation tool (e.g., Puppeteer, Node.js, or PowerShell with JS extensions) to automate routine tasks like user provisioning or configuration backups.
Filter/Exclusion: Exclude files executed from known admin tools or scripts located in the admin’s personal directory (e.g., C:\Users\Administrator\scripts\).
Scenario: Web Application with Embedded JavaScript
Description: A legitimate web application (e.g., WordPress, Drupal, or Joomla) includes JavaScript code for front-end functionality, which may be flagged by the YARA rule due to similar code patterns.
Filter/Exclusion: Exclude files with known web application directories (e.g., C:\inetpub\wwwroot\ or /var/www/html/) and filter by file extensions like .php, .html, or .js associated with web apps.
**