Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Sigma rule (View on GitHub)

 1title: Adwind RAT / JRAT File Artifact
 2id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
 3related:
 4    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
 5      type: derived
 6status: test
 7description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
 8references:
 9    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
10    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
11author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
12date: 2017-11-10
13modified: 2022-12-02
14tags:
15    - attack.execution
16    - attack.t1059.005
17    - attack.t1059.007
18logsource:
19    category: file_event
20    product: windows
21detection:
22    selection:
23        - TargetFilename|contains|all:
24              - '\AppData\Roaming\Oracle\bin\java'
25              - '.exe'
26        - TargetFilename|contains|all:
27              - '\Retrive'
28              - '.vbs'
29    condition: selection
30level: high

References

Related rules

to-top