EXPLOIT-KIT -- Snort has alerted on traffic that is typical of known exploit kits. Exploit kits are pre-packaged sets of code and malware geared toward finding and taking advantage of common browser vulnerabilities. They are Javascript code that provides an entry point to a system to initiate the next state. Snort's rules look for known exploit kit nomenclature, information sent back exposing sensitive infrastructure, attempts to reach a certain file, etc. Rules try to identify the exact kit being used based on actor-group patterns, such as favored target website, malware types, and code similarities.
EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
This rule looks for attempts to exploit a sandbox bypass attempt in the Oracle Java Applet ProviderSkeleton class.
This rule looks for attempts to exploit a sandbox bypass attempt in the Oracle Java Applet ProviderSkeleton class.
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE::ATT&CK Framework::Enterprise::Initial Access::Drive-by Compromise
None
No information provided
None
Tactic: Execution
Technique: Exploitation for Client Execution
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
