The Eleonore Exploit Kit Detection identifies potential exploitation attempts by malicious actors using this kit to deliver payloads and compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage attacks and prevent lateral movement within the network.
YARA Rule
rule eleonore_js3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "9dcb8cd8d4f418324f83d914ab4d4650"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "@mozilla.org/file/directory_service;1"
$string1 = "var exe "
$string2 = "var file "
$string3 = "foStream.write(data, data.length);"
$string4 = " var file_data "
$string5 = "return "
$string6 = " Components.classes["
$string7 = "url : "
$string8 = "].createInstance(Components.interfaces.nsILocalFile);"
$string9 = " var bstream "
$string10 = " bstream.readBytes(size); "
$string11 = "@mozilla.org/supports-string;1"
$string12 = " var channel "
$string13 = "tmp.exe"
$string14 = " if (channel instanceof Components.interfaces.nsIHttpChannel "
$string15 = "@mozilla.org/network/io-service;1"
$string16 = " bstream.available()) { "
$string17 = "].getService(Components.interfaces.nsIIOService); "
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as Windows Update or disk cleanup, may trigger the rule due to similar network activity or file execution patterns.
Filter/Exclusion: Check for process.name containing “wuauclt.exe” or “cleanmgr.exe” and exclude any activity related to known maintenance tasks.
Scenario: Admin Performing Remote Desktop Session
Description: An administrator using Remote Desktop Protocol (RDP) to access a server may trigger the rule if the session involves file access or network communication that resembles exploit kit behavior.
Filter/Exclusion: Filter by process.name containing “mstsc.exe” or “rdpclip.exe” and exclude any activity that does not involve file execution or outbound network connections.
Scenario: Antivirus or Endpoint Protection Scan
Description: A scheduled scan by an antivirus or endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Symantec) may trigger the rule due to temporary file creation or network communication.
Filter/Exclusion: Check for process.name containing “mpsvc.exe”, “mpengine.exe”, or “agent.exe” and exclude any activity that does not involve scanning or file analysis.
Scenario: Legitimate Software Deployment via SCCM
Description: A Software Center or Configuration Manager (SCCM) deployment may trigger the rule if it involves downloading or executing files that match the exploit kit’s signature.
Filter/Exclusion: Filter by process.name containing “ccmexec.exe” or “setup.exe” and exclude any activity that does not involve known deployment tools or package execution.
Scenario: Database Backup or Restore Job
Description: A database backup or restore job (e.g., using SQL Server Backup or Oracle RMAN) may trigger the rule due to file system or network