The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised legitimate credentials to execute arbitrary code within an Azure environment. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage adversary activity that could lead to persistent access and data exfiltration.
YARA Rule
rule phoenix_pdf : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "16de68e66cab08d642a669bf377368da"
hash1 = "bab281fe0cf3a16a396550b15d9167d5"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "0000000254 00000 n"
$string1 = "0000000295 00000 n"
$string2 = "trailer<</Root 1 0 R /Size 7>>"
$string3 = "0000000000 65535 f"
$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
$string5 = "0000000120 00000 n"
$string6 = "%PDF-1.0"
$string7 = "startxref"
$string8 = "0000000068 00000 n"
$string9 = "endobjxref"
$string10 = ")6 0 R ]>>endobj"
$string11 = "0000000010 00000 n"
condition:
11 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate system maintenance job (e.g., task scheduler or cron job) is executing a script that includes a command resembling exploit kit behavior (e.g., curl or wget to a known internal server).
Filter/Exclusion: Check the source IP and command context. Exclude tasks associated with task scheduler or cron jobs running under a known maintenance account (e.g., admin-maintenance).
Scenario: Software Update Deployment
Description: A security team is deploying a software update using a tool like WSUS or Chocolatey that temporarily uses a script or command that matches the exploit kit’s signature.
Filter/Exclusion: Exclude commands executed by wsusutil.exe, choco, or powershell.exe with known update scripts or paths in the C:\Windows\Temp or C:\ProgramData directories.
Scenario: Admin Debugging Session
Description: A system administrator is using Process Explorer or Procmon to debug a process, which may include commands or file accesses that resemble exploit kit behavior.
Filter/Exclusion: Exclude processes launched by procmon.exe, procexp.exe, or debugger.exe with known admin tools or debugging sessions.
Scenario: Log Collection and Analysis
Description: A log aggregation tool like Splunk, ELK Stack, or Graylog is collecting logs and temporarily writing to a file that matches the exploit kit’s file pattern.
Filter/Exclusion: Exclude file access by splunkd.exe, logstash, or graylog-server with known log directories or temporary files.
Scenario: Internal Red Team Exercise
Description: A red team is conducting a controlled penetration test using