The Zeus Exploit Kit Detection rule identifies potential exploitation attempts by malicious actors using the Zeus framework to compromise endpoints, which may indicate initial compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage attacks before they escalate into full-scale breaches.
YARA Rule
rule zeus_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Zeus Exploit Kit Detection"
hash0 = "c87ac7a25168df49a64564afb04dc961"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "var jsmLastMenu "
$string1 = "position:absolute; z-index:99' "
$string2 = " -1)jsmSetDisplayStyle('popupmenu' "
$string3 = " '<tr><td><a href"
$string4 = " jsmLastMenu "
$string5 = " var ids "
$string6 = "this.target"
$string7 = " jsmPrevMenu, 'none');"
$string8 = " if(jsmPrevMenu "
$string9 = ")if(MenuData[i])"
$string10 = " '<div style"
$string11 = "popupmenu"
$string12 = " jsmSetDisplayStyle('popupmenu' "
$string13 = "function jsmHideLastMenu()"
$string14 = " MenuData.length; i"
condition:
14 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 15 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that uses curl or wget to download a file from an external server, which may be flagged due to the URL pattern.
Filter/Exclusion: Exclude traffic from known internal or trusted external domains used by system maintenance tools (e.g., sysadmin-tools.com, internal-repo.example.com).
Scenario: Admin Task – Remote Code Execution (RCE) via SSH
Description: An administrator uses SSH to execute a script on a remote server, which includes a command that resembles exploit kit behavior (e.g., bash -c "wget ...").
Filter/Exclusion: Exclude commands executed via SSH from known admin user accounts (e.g., root, admin) or from specific IP ranges used by internal IT teams.
Scenario: Software Update Process
Description: A legitimate software update process downloads a payload from a third-party repository (e.g., apt, yum, or npm) that matches the exploit kit’s URL pattern.
Filter/Exclusion: Exclude traffic to known package repositories (e.g., archive.ubuntu.com, npmjs.org, download.docker.com).
Scenario: Log Collection and Analysis Tool
Description: A log aggregation tool (e.g., Fluentd, Logstash) uses curl to fetch logs from a remote server, which may be flagged due to the URL structure.
Filter/Exclusion: Exclude traffic to known log management services (e.g., logs.example.com, logstash.example.org).
Scenario: DevOps Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a build artifact from a private registry or external source, which may trigger the