The Phoenix Exploit Kit Detection identifies potential exploitation attempts by adversaries leveraging compromised or malicious domains to deliver payloads, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage attacks and prevent lateral movement within the network.
YARA Rule
rule phoenix_html10 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "f5f8dceca74a50076070f2593e82ec43"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "pae>crAeahoilL"
$string1 = "D11C0002C0069733E60656F6462070D000402DFF200696E"
$string2 = "nbte)bbn"
$string3 = "v9o16,0')0B80002328203;)82F00223A216ifA160A262A462(a"
$string4 = "0442DFD2E30EC80E42D2E00AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E370EE4A"
$string5 = ";)npeits0e.uvr;][tvr"
$string6 = "433EBE90242003E00C606D04036563435805000102000v020E656wa.i118,0',9F902F282620''C62022646660}{A780232A"
$string7 = "350;var ysjzyq"
$string8 = "aSmd'lm/t/im.}d.-Ljg,l-"
$string9 = "0017687F6164706E6967060002008101'2176045ckb"
$string10 = "63(dcma)nenn869"
$string11 = "').replace(/"
$string12 = "xd'c0lrls09sare"
$string13 = "(]t.(7u(<p"
$string14 = "d{et;bdBcriYtc:eayF20'F62;23C4AABA3B84FE21C2B0B066C0038B8353AF5C0B4DF8FF43E85FB6F05CEC4080236F3CDE6E"
$string15 = "/var another;</textarea>"
$string16 = "Fa527496C62eShHmar(bA,pPec"
$string17 = "FaA244A676C,150e62A5B2B61,'2F"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule due to similar command patterns.
Filter/Exclusion: Exclude processes initiated by the root user with rsync in the command line and matching a known backup job name in the crontab or systemd timer.
Scenario: Admin Task Using curl to Fetch Configuration
Description: An administrator may use curl to fetch updated configuration files from an internal server, which could resemble exploit kit activity.
Filter/Exclusion: Exclude traffic from known admin IPs, with curl commands targeting internal DNS or config servers, and with HTTP status codes indicating successful retrieval (e.g., 200 OK).
Scenario: Log Collection via logrotate
Description: The logrotate utility may execute scripts that manipulate log files, which could be mistaken for exploit kit behavior.
Filter/Exclusion: Exclude processes initiated by logrotate and associated scripts, especially those located in /etc/logrotate.d/ or /usr/sbin/logrotate.
Scenario: Software Update via apt or yum
Description: Package managers like apt or yum may execute scripts during updates that could trigger the detection logic.
Filter/Exclusion: Exclude processes initiated during package updates, with command lines containing apt upgrade or yum update, and with timestamps matching known update schedules.
Scenario: Internal Monitoring Tool Using netstat or ss
Description: A monitoring tool may use netstat or ss to check for open ports, which could be flagged as suspicious activity.
Filter/Exclusion: Exclude processes initiated by monitoring tools (e.g., nagios, Zabbix,