Phoenix Exploit Kit Detection

Hunt Hypothesis

The Phoenix Exploit Kit Detection identifies potential exploitation attempts by malicious actors leveraging compromised or unpatched systems to deploy malware or establish command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage adversary activity and prevent lateral movement or data exfiltration.

YARA Rule

rule phoenix_pdf2 : EK PDF
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Phoenix Exploit Kit Detection"
   hash0 = "33cb6c67f58609aa853e80f718ab106a"
   sample_filetype = "pdf"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "\\nQb<%"
   $string1 = "0000000254 00000 n"
   $string2 = ":S3>v0$EF"
   $string3 = "trailer<</Root 1 0 R /Size 7>>"
   $string4 = "%PDF-1.0"
   $string5 = "0000000000 65535 f"
   $string6 = "endstream"
   $string7 = "0000000010 00000 n"
   $string8 = "6 0 obj<</JS 7 0 R/S/JavaScript>>endobj"
   $string9 = "3 0 obj<</JavaScript 5 0 R >>endobj"
   $string10 = "}pr2IE"
   $string11 = "0000000157 00000 n"
   $string12 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
   $string13 = "5 0 obj<</Names[("
condition:
   13 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled task runs a script that mimics exploit kit behavior, such as downloading a payload or modifying system settings.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known name like SystemMaintenanceJob.

• Scenario: Patch Management Tool Execution
  Description: A patch management tool (e.g., Microsoft Update, SCCM) temporarily executes scripts or binaries that resemble exploit kit activity.
  Filter/Exclusion: Exclude processes associated with WindowsUpdate.exe, msiexec.exe, or tasks with a known patching tool signature.

• Scenario: Admin User Performing System Configuration
  Description: An administrator uses a tool like PowerShell or cmd.exe to configure system settings, which may trigger similar behavior to the exploit kit.
  Filter/Exclusion: Exclude processes initiated by users in the Administrators group or with a known command-line history (e.g., powershell.exe -Command).

• Scenario: Log Collection and Analysis Tool
  Description: A log analysis tool (e.g., Splunk, ELK Stack) runs scripts to parse or manipulate log files, which may be flagged as suspicious.
  Filter/Exclusion: Exclude processes related to log management tools or those running under a service account like LocalSystem or LogCollector.

• Scenario: Antivirus or EDR Quarantine Operation
  Description: An endpoint protection tool (e.g., CrowdStrike, Bitdefender) quarantines a file, which may trigger the detection rule due to file modification or download activity.
  Filter/Exclusion: Exclude processes associated with known EDR tools or files marked as quarantined by the endpoint security solution.