Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.communityCreated Fri Nov 10Updated Fri Dec 020bcfabcb-7929-47f4-93d6-b33fb67d34d1windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        - TargetFilename|contains|all:
              - '\AppData\Roaming\Oracle\bin\java'
              - '.exe'
        - TargetFilename|contains|all:
              - '\Retrive'
              - '.vbs'
    condition: selection
References
1
Resolving title…
hybrid-analysis.com
2
Resolving title…
first.org
MITRE ATT&CK
Related Rules
DerivedEmerging Threathigh

Adwind RAT / JRAT

Detects javaw.exe in AppData folder as used by Adwind / JRAT

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
0bcfabcb-7929-47f4-93d6-b33fb67d34d1
Status
test
Level
high
Type
Detection
Created
Fri Nov 10
Modified
Fri Dec 02
Author
Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
Path
rules/windows/file/file_event/file_event_win_mal_adwind.yml
Raw Tags
attack.executionattack.t1059.005attack.t1059.007
View on GitHub