The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised legitimate credentials to execute arbitrary code within an Azure environment. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage adversary activity that could lead to persistent access and data exfiltration.
YARA Rule
rule phoenix_html5 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "30afdca94d301905819e00a7458f4a4e"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "dtesu}"
$string1 = "<textarea>function gvgsxoy(gwcqg1){return gwcqg1.replace(/"
$string2 = "v}Ahnhxwet"
$string3 = "0125C6BBA2B84F7A1D2940C04C8B7449A40EEB0D14C8003535C0042D75E05F0D7F3E0A7B4E33EB4D8D47119290FC"
$string4 = "a2Fs2325223869e'Fm2873367130"
$string5 = "m0000F0F6E66607C71646F6607000107FA61021F6060(aeWWIN"
$string6 = ")(r>hd1/dNasmd(fpas"
$string7 = "9,0,e'Fm692E583760"
$string8 = "5ud(dis"
$string9 = "nacmambuntcmi"
$string10 = "Fa078597467,1C0e674366871,'2F"
$string11 = "Fa56F386A76,180e828592024,'2F"
$string12 = "alA)(2avoyOi;ic)t6])teptp,an}tnv0i'fms<uic"
$string13 = "iR'nandee"
$string14 = "('0.aEa-9leal"
$string15 = "bsD0seF"
$string16 = "t.ck263/6F3a001CE7A2684067F98BEC18B738801EF1F7F7E49A088695050C000865FC38080FE23727E0E8DE9CB53E748472"
condition:
16 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a tool like Veeam Backup & Replication or Commvault and generates network traffic similar to exploit kit C2 activity.
Filter/Exclusion: Exclude traffic from known backup tools using their process names or IP ranges (e.g., process.name = "veeam.exe" or src_ip = 192.168.1.0/24).
Scenario: Admin Remote Desktop Session
Description: An administrator is using Remote Desktop Services (RDP) to access a server, which may involve outbound traffic to a remote server that matches the exploit kit’s C2 domains.
Filter/Exclusion: Exclude traffic originating from RDP sessions using process.name = "mstsc.exe" or user = "Administrator".
Scenario: Software Update Deployment via SCCM
Description: A System Center Configuration Manager (SCCM) update deployment is pushing payloads to endpoints, which may trigger the rule due to similar network patterns.
Filter/Exclusion: Exclude traffic associated with SCCM by checking process.name = "ccmexec.exe" or dest_port = 8080 (common SCCM port).
Scenario: Log Collection via Splunk Forwarder
Description: A Splunk Universal Forwarder is sending logs to a Splunk indexer, which may be misidentified as C2 traffic due to similar TLS handshake patterns.
Filter/Exclusion: Exclude traffic from Splunk forwarders using process.name = "splunkforwarder.exe" or dest_ip = 10.0.0.0/8 (internal Splunk network).
Scenario: Internal DNS Query for Legitimate Domain
Description: An internal DNS query is resolving a legitimate domain