From 57d56dddb7b464d36681d6827fb6807640a4518c Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 9 Nov 2017 18:53:46 +0100
Subject: [PATCH] Improved Adwind RAT rule

---
 rules/windows/malware/win_mal_adwind.yml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml
index 37ff35cd..e6574ade 100644
--- a/rules/windows/malware/win_mal_adwind.yml
+++ b/rules/windows/malware/win_mal_adwind.yml
@@ -2,18 +2,13 @@
 action: global
 title: Adwind RAT / JRAT
 status: experimental
-description: Detects javaw.exe in AppData folder as used by Adwind / JRAT 
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
 reference:
     - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
     - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 author: Florian Roth
 date: 2017/11/09
 detection:
-    selection:
-        # Could be %AppData%\Oracle\javaw.exe
-        # or       %AppData%\Oracle\bin\javaw.exe 
-        # %AppData% expands to ..\AppData\Roaming\
-        CommandLine: '*\AppData\Roaming\Oracle*\javaw.exe *'
     condition: selection
 falsepositives:
     - 'Unknown'
@@ -25,6 +20,15 @@ logsource:
 detection:
     selection:
         EventID: 1
+        Image: '*\AppData\Roaming\Oracle*\javaw.exe'
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFileName: '*\AppData\Roaming\Oracle*\javaw.exe'
 ---
 logsource:
     product: windows
@@ -33,3 +37,4 @@ logsource:
 detection:
     selection:
         EventID: 4688
+        CommandLine: '*\AppData\Roaming\Oracle*\javaw.exe *'