Adversaries may use hook.js to establish browser-based persistence and control, leveraging BeEF’s capabilities to manipulate web browsers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and command-and-control activities.
YARA Rule
rule BeEF_browser_hooked
{
meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo"
date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings:
$s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii
$s2 = "beef.logger.get_dom_identifier" wide ascii
$s3 = "return (!!window.opera" wide ascii
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
$s9 = "mitb.sniff(" wide ascii
$s10 = "Method XMLHttpRequest.open override" wide ascii
$s11 = ".browser.hasWebSocket" wide ascii
$s12 = ".mitb.poisonForm" wide ascii
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
$s15 = "beef.net.request" wide ascii
$s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 19 string patterns in its detection logic.
Scenario: Legitimate use of hook.js in a custom web application
Description: A developer may include hook.js as part of a custom front-end framework or for analytics tracking.
Filter/Exclusion: Check for presence of a known legitimate hook.js file path (e.g., /app/assets/javascripts/hook.js) and ensure it is not part of a malicious payload.
Scenario: Scheduled system maintenance task using hook.js
Description: An admin may run a scheduled job that uses hook.js for automated browser testing or UI automation.
Filter/Exclusion: Filter by process owner (e.g., root, system, or a known admin user) and check for presence of a legitimate task scheduler entry (e.g., /etc/cron.d/maintenance).
Scenario: BeEF framework usage by security team for red teaming
Description: Security teams may use BeEF (Browser Exploitation Framework) for penetration testing and security training.
Filter/Exclusion: Check for presence of a known BeEF server IP or domain in the network, and filter by user context (e.g., security-team or red-team).
Scenario: Browser automation tool using hook.js for UI testing
Description: Tools like Selenium or Cypress may use hook.js for hooking into browser events during automated testing.
Filter/Exclusion: Filter by process name (e.g., selenium, cypress, or webdriver) and check for presence of a known testing framework directory.
Scenario: Malware analysis environment with BeEF hooking
Description: In a sandboxed environment, malware analysts may use BeEF to simulate browser hooking for analysis.
Filter/Exclusion: Check for presence of a sandbox environment identifier