The hypothesis is that the detection identifies potential ZeroAccess Exploit Kit activity through suspicious network behavior indicative of exploit kit infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by known malicious exploit kits.
YARA Rule
rule zeroaccess_css2 : EK css
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "e300d6a36b9bfc3389f64021e78b1503"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "er div.panel-hide{display:block;position:absolute;z-index:200;margin-top:-1.5em;}div.panel-pane div."
$string1 = "ve.gif) right center no-repeat;}div.ctools-ajaxing{float:left;width:18px;background:url(http://cdn3."
$string2 = "cdn2.dailyrx.com"
$string3 = "efefef;margin:5px 0 5px 0;}"
$string4 = "node{margin:0;padding:0;}div.panel-pane div.feed a{float:right;}"
$string5 = ":0 5px 0 0;float:left;}div.tweets-pulled-listing div.tweet-authorphoto img{max-height:40px;max-width"
$string6 = "i a{color:"
$string7 = ":bold;}div.tweets-pulled-listing .tweet-time a{color:silver;}div.tweets-pulled-listing div.tweet-di"
$string8 = "div.panel-pane div.admin-links{font-size:xx-small;margin-right:1em;}div.panel-pane div.admin-links l"
$string9 = "div.tweets-pulled-listing ul{list-style:none;}div.tweets-pulled-listing div.tweet-authorphoto{margin"
$string10 = "FFFFDD none repeat scroll 0 0;border:1px solid "
$string11 = "vider{clear:left;border-bottom:1px solid "
condition:
11 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup or update job, may trigger the rule due to similar command-line arguments or file names.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance job names (e.g., CleanupTask, WindowsUpdate).
Scenario: Admin User Performing Patch Deployment
Description: An administrator using PsExec or psexec.exe to remotely execute a patch or update on a system may be flagged due to similar network behavior or file execution patterns.
Filter/Exclusion: Exclude processes executed by admin users with PsExec and targeting known patching tools (e.g., WindowsUpdate.exe, msiexec.exe).
Scenario: Legitimate Software Installation via MSI
Description: A legitimate software installation using msiexec.exe with a .msi file may be flagged due to the presence of exploit kit-like behavior during installation.
Filter/Exclusion: Exclude processes where msiexec.exe is used with valid MSI files from trusted vendors (e.g., setup.msi, installer.msi).
Scenario: Network Monitoring Tool Traffic
Description: A network monitoring tool like Wireshark or tcpdump may generate traffic that matches the detection logic due to similar network protocols or packet behaviors.
Filter/Exclusion: Exclude traffic from known network monitoring tools (e.g., wireshark.exe, tcpdump.exe) or processes running under specific user accounts used for monitoring.
Scenario: Automated Log File Analysis Job
Description: A scheduled job using logparser.exe or PowerShell scripts to analyze log files may be flagged due to similar command-line execution patterns.