security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d57d7c1e5b58eb7e520f50ba140bed4b7cfa6607
blue-team-tools/rules/windows/process_creation/win_mal_adwind.yml
T
Jonhnathan 483748c2c3 Update win_mal_adwind.yml
2020-10-15 17:59:24 -03:00

48 lines
1.3 KiB
YAML
Raw Blame History

action: global
title: Adwind RAT / JRAT
id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
status: experimental
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi
date: 2017/11/10
modified: 2020/09/01
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- attack.t1064 # an old one
detection:
condition: selection
level: high
---
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '\AppData\Roaming\Oracle*\java*.exe '
- 'cscript.exe *Retrive*.vbs '
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|endswith:
- '\AppData\Roaming\Oracle\bin\java*.exe'
- '\Retrive*.vbs'
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Details|startswith: '%AppData%\Roaming\Oracle\bin\\'
Reference in New Issue View Git Blame Copy Permalink