The ZeroAccess Exploit Kit Detection rule identifies potential exploitation attempts by malicious actors leveraging compromised systems to deploy malware or establish command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and prevent the spread of advanced persistent threats within their environment.
YARA Rule
rule zeroaccess_js : EK js
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "a9f30483a197cfdc65b4a70b8eb738ab"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "Square ad tag (tile"
$string1 = " adRandNum "
$string2 = " cellspacing"
$string3 = "\\n//-->\\n</script>"
$string4 = "format"
$string5 = "//-->' "
$string6 = "2287974446"
$string7 = "NoScrBeg "
$string8 = "-- start adblade -->' "
$string9 = "3427054556"
$string10 = " while (i >"
$string11 = "return '<table width"
$string12 = "</scr' "
$string13 = " s.substring(0, i"
$string14 = " /></a></noscript>' "
$string15 = " else { isEmail "
$string16 = ").submit();"
$string17 = " border"
$string18 = "pub-8301011321395982"
condition:
18 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 19 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that uses curl or wget to download a file from an internal or external server, which may be flagged due to the URL pattern.
Filter/Exclusion: Exclude traffic originating from known internal IP ranges or use a filter like src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or process_name = "schtasks.exe".
Scenario: Software Update via Proxy
Description: A system uses a proxy to download updates from a known upstream source (e.g., Microsoft Update or a third-party repository), which may trigger the rule due to the URL structure.
Filter/Exclusion: Exclude traffic to known update servers using dest_ip IN (4.2.2.1, 4.2.2.2, 13.107.6.49) or use a filter like dest_port = 443 AND url contains "update.microsoft.com".
Scenario: Admin Task Using PowerShell for Configuration
Description: An administrator uses PowerShell to download a configuration file from a secure internal server, which may be flagged due to the use of Invoke-WebRequest or similar commands.
Filter/Exclusion: Exclude PowerShell scripts executed by users with admin privileges using user = "Administrator" or process_name = "powershell.exe" and check for script_block_hash or command_line contains "Invoke-WebRequest".
Scenario: Internal Monitoring Tool Data Collection
Description: A monitoring tool (e.g., Nagios, Zabbix) periodically fetches metrics from a remote server, which may be flagged due to the use