Fragus Exploit Kit Detection identifies potential exploitation attempts by malicious actors using the Fragus Exploit Kit to deliver payloads through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule fragus_htm : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "f76deec07a61b4276acc22beef41ea47"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ">Hello, "
$string1 = "http://www.clantemplates.com"
$string2 = "this template was created by Bl1nk and is downloadable at <B>ClanTemplates.com<BR></B>Replace "
$string3 = "></TD></TR></TABLE> "
$string4 = "Image21"
$string5 = "scrollbar etc.<BR><BR>Enjoy, Bl1nk</FONT></TD></TR></TABLE><BR></CENTER></TD></TR> "
$string6 = "to this WarCraft Template"
$string7 = " document.getElementById) x"
$string8 = " if (a[i].indexOf("
$string9 = "x.oSrc;"
$string10 = "x.src; x.src"
$string11 = "<HTML>"
$string12 = "FFFFFF"
$string13 = " CELLSPACING"
$string14 = "images/layoutnormal_03.gif"
$string15 = "<TR> <TD "
$string16 = " CELLPADDING"
condition:
16 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that mimics exploit kit behavior, such as downloading a file or modifying system settings.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"schtasks.exe"
Scenario: Admin Performing Patch Management
Description: An administrator uses a tool like Microsoft Update or WSUS to deploy patches, which may involve downloading and executing payloads similar to exploit kit activity.
Filter/Exclusion: process.name:"wusa.exe" or process.name:"wuauclt.exe"
Scenario: Log File Analysis Tool Execution
Description: A tool like LogParser or PowerShell script is used to analyze log files, which may trigger the rule due to file access or command-line arguments resembling exploit kit behavior.
Filter/Exclusion: process.name:"logparser.exe" or process.name:"powershell.exe" and process.command_line:"-Command"
Scenario: Database Backup Job
Description: A database backup tool like SQL Server Backup Utility or mysqldump may trigger the rule due to file operations or command-line arguments that resemble exploit kit activity.
Filter/Exclusion: process.name:"sqlbackup.exe" or process.name:"mysqldump.exe"
Scenario: Network Monitoring Tool Deployment
Description: A network monitoring tool like Wireshark or tcpdump is deployed, which may involve file operations or command-line arguments that trigger the rule.
Filter/Exclusion: process.name:"tcpdump.exe" or process.name:"wireshark.exe"