The Phoenix Exploit Kit Detection identifies potential exploitation attempts by adversaries leveraging compromised or malicious domains to deliver payloads, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage attacks and prevent lateral movement within the network.
YARA Rule
rule phoenix_pdf3 : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "bab281fe0cf3a16a396550b15d9167d5"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "trailer<</Root 1 0 R /Size 7>>"
$string1 = "stream"
$string2 = ";_oI5z"
$string3 = "0000000010 00000 n"
$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
$string5 = "7 0 obj<</Filter[ /FlateDecode /ASCIIHexDecode /ASCII85Decode ]/Length 3324>>"
$string6 = "endobjxref"
$string7 = "L%}gE("
$string8 = "0000000157 00000 n"
$string9 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
$string10 = "0000000120 00000 n"
$string11 = "4 0 obj<</Type/Page/Parent 2 0 R /Contents 12 0 R>>endobj"
condition:
11 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a tool like Veeam Backup & Replication or Commvault and generates network traffic that resembles exploit kit behavior.
Filter/Exclusion: Exclude traffic from known backup tools using the process.name field, e.g., process.name = "veeam.exe" OR process.name = "cvbackup.exe"
Scenario: Admin Performing Remote PowerShell Script Execution
Description: An administrator uses PowerShell to run a script for system configuration or patching, which may include outbound connections that match the exploit kit’s signature.
Filter/Exclusion: Exclude PowerShell scripts executed by admin accounts using user.name = "Administrator" OR user.name = "root", or filter by process.name = "powershell.exe" with a whitelisted script path.
Scenario: Software Update via Microsoft Intune or SCCM
Description: A software update deployment via Microsoft Intune or System Center Configuration Manager (SCCM) may involve outbound connections that mimic exploit kit activity.
Filter/Exclusion: Exclude traffic related to software updates by checking the process.name field for msiexec.exe, setup.exe, or microsoft-intune.exe, or by using a destination.port filter for known update ports (e.g., 80, 443, 8080).
Scenario: Database Replication or Synchronization Task
Description: A database replication task using SQL Server Agent or Oracle Data Guard may generate network traffic that resembles exploit kit behavior.
Filter/Exclusion: Exclude traffic from known database tools using process.name = "sqlservr.exe" OR process.name = "oracle.exe", or filter by destination.port for database ports (e.g