rules/windows/process_creation/win_mal_adwind.yml

action: global
title: Adwind RAT / JRAT
id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
status: experimental
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi
date: 2017/11/10
modified: 2020/09/01
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1064  # an old one
detection:
    condition: selection
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '*\AppData\Roaming\Oracle*\java*.exe *'
            - '*cscript.exe *Retrive*.vbs *'
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename:
            - '*\AppData\Roaming\Oracle\bin\java*.exe'
            - '*\Retrive*.vbs'
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 13
        TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
        Details: '%AppData%\Roaming\Oracle\bin\\*'
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`action: global`
			`title: Adwind RAT / JRAT`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 1fac1481-2dbc-48b2-9096-753c49b4ec71`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
			`description: Detects javaw.exe in AppData folder as used by Adwind / JRAT`
			`references:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100`
			`- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`author: Florian Roth, Tom Ueltschi`
			`date: 2017/11/10`
att&ck tags review: windows/process_creation part 3 2020-09-01 17:02:36 +00:00			`modified: 2020/09/01`
Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00			`tags:`
			`- attack.execution`
Further subtechnique updates 2020-06-17 11:31:40 -06:00			`- attack.t1059.005`
att&ck tags review: windows/process_creation part 3 2020-09-01 17:02:36 +00:00			`- attack.t1059.007`
			`- attack.t1064 # an old one`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: high`
			`---`
			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00			`CommandLine:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- '\AppData\Roaming\Oracle\java.exe '`
			`- 'cscript.exe Retrive.vbs '`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`---`
			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`product: windows`
			`service: sysmon`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
			`EventID: 11`
			`TargetFilename:`
			`- '\AppData\Roaming\Oracle\bin\java.exe'`
			`- '\Retrive.vbs'`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`---`
			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`product: windows`
			`service: sysmon`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
			`EventID: 13`
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00			`TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`Details: '%AppData%\Roaming\Oracle\bin\\*'`