The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised or unpatched systems to deploy payloads, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks before they escalate into broader breaches.
YARA Rule
rule phoenix_html11 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "be8c81288f9650e205ed13f3167ce256"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "D'0009F0C6941617C43427A76080001000F47020C606volv99,0,6,"
$string1 = "';)nWd"
$string2 = "IW'eeCn)s.a9e;0CF300FF379011078E047873754163636960496270486264416455747D69737812060209011301010104D0"
$string3 = "D8D51F5100019006D60667F2E056940170E01010747"
$string4 = "515F2F436WemBh2A4560683aFanoi(utse.o1/f;pistelzi"
$string5 = "/p(e/oah)FHw'aaarDsnwi-"
$string6 = "COa506u%db10u%1057u%f850u%f500u%0683u%05a8u%0030u%0706u%d300u%585du%38d0u%0080u%5612u'u%A2DdF6u%1M:."
$string7 = "S(yt)Dj"
$string8 = "FaA26285325,150e8292A6968,'2F"
$string9 = "0200e{b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%37"
$string10 = "(mEtlltopo{{e"
$string11 = "aSmd'lm/t/im.}d.-Ljg,l-"
$string12 = "r)C4snfapfuo}"
$string13 = "').replace(/"
$string14 = "A282A5ifA160F2628206(a"
$string15 = "obn0cf"
$string16 = "d(i'C)rtr.'pvif)iv1ilW)S((Ltl.)2,0,9;0se"
$string17 = "E23s3003476B18703C179396D08B841BC554F11678F0FEB9505FB355E044F33A540F61743738327E32D97D070FA37D87s000"
$string18 = "603742E545904575'294E20680,6F902E292A60''E6202A4E6468},e))tep"
condition:
18 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 19 string patterns in its detection logic.
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule due to similar command patterns.
Filter/Exclusion: Exclude processes initiated by the root user with rsync in the command line and matching a known backup script path (e.g., /usr/local/bin/backup.sh).
Scenario: Admin Task Using wget to Download a Patch
Description: An administrator may use wget to download a security patch from a trusted internal repository, which could resemble exploit kit activity.
Filter/Exclusion: Exclude processes where the command line includes a known internal repository URL (e.g., https://internal-repo.example.com/pkgs/patch-1.2.3.tar.gz) and the user is a system admin (e.g., admin or root).
Scenario: Logrotate Job Execution
Description: The logrotate utility may execute scripts or commands that resemble exploit kit behavior during log rotation.
Filter/Exclusion: Exclude processes with the command line containing /usr/sbin/logrotate and matching the default logrotate configuration file path (e.g., /etc/logrotate.conf).
Scenario: Software Update via apt or yum
Description: A package manager like apt or yum may execute scripts or commands that look similar to exploit kit payloads during system updates.
Filter/Exclusion: Exclude processes where the command line includes apt update, apt upgrade, yum update, or yum upgrade, and the user is a system admin (e.g., root or sudo).
Scenario: Internal Monitoring Tool Using curl to Poll Metrics
Description: An internal monitoring tool (e.g., Prometheus or Grafana)