SigmaHQ/rules/windows/process_creation/win_mal_adwind.yml

45 lines
1.2 KiB
YAML

action: global
title: Adwind RAT / JRAT
status: experimental
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi
date: 2017/11/10
modified: 2018/12/11
tags:
- attack.execution
- attack.t1064
detection:
condition: selection
level: high
---
logsource:
category: process_creation
product: windows
detection:
selection:
ProcessCommandLine:
- '*\AppData\Roaming\Oracle*\java*.exe *'
- '*cscript.exe *Retrive*.vbs *'
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename:
- '*\AppData\Roaming\Oracle\bin\java*.exe'
- '*\Retrive*.vbs'
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
Details: '%AppData%\Roaming\Oracle\bin\\*'