security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/deprecated/windows/registry_set_malware_adwind.yml
T
Nasreddine Bencherchali 8cbcaea48a Merge PR #4783 from @nasbench - Update registry rules logic and fix some false positives 
fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs
new: Service Binary in User Controlled Folder
remove: Adwind RAT / JRAT - Registry
remove: Service Binary in Uncommon Folder
update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values
update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values
update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information
update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values
update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values
update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values
update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values
update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values
update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values
update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values
update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values
update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values
update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values
update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values
update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values
update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values
update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values
update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2024-03-26 13:28:49 +01:00

29 lines
1015 B
YAML
Raw Blame History

title: Adwind RAT / JRAT - Registry
id: 42f0e038-767e-4b85-9d96-2c6335bad0b5
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
status: deprecated
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
modified: 2024/03/26
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Details|startswith: '%AppData%\Roaming\Oracle\bin\'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink