Improved Adwind RAT rule

2024-11-07 01:45:21 +00:00 · 2017-11-09 18:53:46 +01:00 · 2017-11-09 18:53:46 +01:00 · 57d56dddb7
commit 57d56dddb7
parent b558f5914e
1 changed files with 11 additions and 6 deletions
--- a/rules/windows/malware/win_mal_adwind.yml
+++ b/rules/windows/malware/win_mal_adwind.yml
@ -9,11 +9,6 @@ reference:
 author: Florian Roth
 date: 2017/11/09
 detection:
-    selection:
-        # Could be %AppData%\Oracle\javaw.exe
-        # or       %AppData%\Oracle\bin\javaw.exe 
-        # %AppData% expands to ..\AppData\Roaming\
-        CommandLine: '*\AppData\Roaming\Oracle*\javaw.exe *'
    condition: selection
 falsepositives:
    - 'Unknown'
@ -25,6 +20,15 @@ logsource:
 detection:
    selection:
        EventID: 1
+        Image: '*\AppData\Roaming\Oracle*\javaw.exe'
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFileName: '*\AppData\Roaming\Oracle*\javaw.exe'
 ---
 logsource:
    product: windows
@ -33,3 +37,4 @@ logsource:
 detection:
    selection:
        EventID: 4688
+        CommandLine: '*\AppData\Roaming\Oracle*\javaw.exe *'