SigmaHQ/rules/windows/process_creation/win_mal_adwind.yml

action: global
title: Adwind RAT / JRAT
id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
status: experimental
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
modified: 2021/06/27
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1064  # an old one
detection:
    condition: selection
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
            - '\AppData\Roaming\Oracle'
            - '\java'
            - '.exe '
        - CommandLine|contains|all:
            - 'cscript.exe'
            - 'Retrive'
            - '.vbs '
---
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains|all:
            - '\AppData\Roaming\Oracle\bin\java'
            - '.exe'
        - TargetFilename|contains|all:
            - '\Retrive'
            - '.vbs'
---
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        Details|startswith: '%AppData%\Roaming\Oracle\bin\'