Improved Adwind RAT rule

rules/windows/malware/win_mal_adwind.yml

@@ -2,18 +2,13 @@
 action: global
 title: Adwind RAT / JRAT
 status: experimental
-description: Detects javaw.exe in AppData folder as used by Adwind / JRAT 
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
 reference:
     - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
     - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 author: Florian Roth
 date: 2017/11/09
 detection:
-    selection:
-        # Could be %AppData%\Oracle\javaw.exe
-        # or       %AppData%\Oracle\bin\javaw.exe 
-        # %AppData% expands to ..\AppData\Roaming\
-        CommandLine: '*\AppData\Roaming\Oracle*\javaw.exe *'
     condition: selection
 falsepositives:
     - 'Unknown'
@@ -25,6 +20,15 @@ logsource:
 detection:
     selection:
         EventID: 1
+        Image: '*\AppData\Roaming\Oracle*\javaw.exe'
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFileName: '*\AppData\Roaming\Oracle*\javaw.exe'
 ---
 logsource:
     product: windows
@@ -33,3 +37,4 @@ logsource:
 detection:
     selection:
         EventID: 4688
+        CommandLine: '*\AppData\Roaming\Oracle*\javaw.exe *'