Unusual network traffic patterns originating from compromised virtual machines may indicate the presence of the ZeroAccess Exploit Kit leveraging Azure resources for command and control. SOC teams should proactively hunt for this behavior to identify and mitigate potential compromise of Azure environments before lateral movement or data exfiltration occurs.
YARA Rule
rule zeroaccess_htm : EK html
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "0e7d72749b60c8f05d4ff40da7e0e937"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "screen.height:"
$string1 = "</script></head><body onload"
$string2 = "Fx0ZAQRKXUVgbh0qNDRJVxYwGg4tGh8aHQoAVQQSNyo0NElXFjAaDi0NFQYESl1FBBNnTFoSPiBmADwnPTQxPSdKWUUEE2UcGR0z"
$string3 = "0);-10<b"
$string4 = "function fl(){var a"
$string5 = "0);else if(navigator.mimeTypes"
$string6 = ");b.href"
$string7 = "/presults.jsp"
$string8 = "128.164.107.221"
$string9 = ")[0].clientWidth"
$string10 = "presults.jsp"
$string11 = ":escape(c),e"
$string12 = "navigator.plugins.length)navigator.plugins["
$string13 = "window;d"
$string14 = "gr(),j"
$string15 = "VIEWPORT"
$string16 = "FQV2D0ZAH1VGDxgZVg9COwYCAwkcTzAcBxscBFoKAAMHUFVuWF5EVVYVdVtUR18bA1QdAU8HQjgeUFYeAEZ4SBEcEk1FTxsdUlVA"
condition:
16 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate system maintenance job (e.g., schtasks.exe or task scheduler) runs a script that downloads a file with a suspicious name, triggering the rule.
Filter/Exclusion: Exclude files downloaded by schtasks.exe or task scheduler from the rule, or add a condition to ignore files with known maintenance job patterns (e.g., maintenance_*.exe).
Scenario: Admin Tool for Patch Management
Description: An admin tool like Windows Update or WSUS (Windows Server Update Services) downloads a file that matches the signature of the ZeroAccess Exploit Kit.
Filter/Exclusion: Exclude files downloaded from known patch management servers (e.g., update.microsoft.com, wsusserver), or add a condition to ignore files associated with patching activities.
Scenario: Log Collection and Analysis Tool
Description: A log collection tool like Splunk or ELK Stack (Elasticsearch, Logstash, Kibana) is configured to download a script or configuration file that matches the rule’s signature.
Filter/Exclusion: Exclude files downloaded from the IP addresses or domains associated with the log collection tool, or add a condition to ignore files with known log management tool patterns (e.g., splunkforwarder, logstash).
Scenario: Internal Software Deployment via SCCM
Description: A file is deployed via Microsoft System Center Configuration Manager (SCCM) that has a name or hash matching the ZeroAccess Exploit Kit.
Filter/Exclusion: Exclude files deployed by SCCM, or add a condition to ignore files that match SCCM deployment patterns (e.g., SCCM_*.exe, DeploymentPackage_*.exe).
**Scenario: Internal Development