Adversaries may use javaw.exe in the AppData folder as part of Adwind or JRAT malware execution to maintain persistence and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise and data theft.
Detection Rule
title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains|all:
- '\AppData\Roaming\Oracle\bin\java'
- '.exe'
- TargetFilename|contains|all:
- '\Retrive'
- '.vbs'
condition: selection
level: high
imFileEvent
| where (TargetFileName contains "\\AppData\\Roaming\\Oracle\\bin\\java" and TargetFileName contains ".exe") or (TargetFileName contains "\\Retrive" and TargetFileName contains ".vbs")Scenario: Legitimate Java Application Execution
Description: A Java-based application (e.g., Jenkins, Jira, or a custom Java tool) is running under javaw.exe in the AppData folder.
Filter/Exclusion: Check for known legitimate Java applications by inspecting the command line arguments or parent process. Exclude processes associated with jenkins.exe, jira.exe, or java.exe from the detection logic.
Scenario: Scheduled System Maintenance Task
Description: A scheduled task runs a Java-based maintenance script (e.g., log cleanup or configuration update) using javaw.exe in AppData.
Filter/Exclusion: Filter out tasks associated with Task Scheduler or schtasks.exe. Use process parent or command line to identify legitimate maintenance scripts.
Scenario: Admin Task Using Java Tools
Description: An administrator is running a Java-based diagnostic or monitoring tool (e.g., jconsole, jvisualvm, or jstat) in AppData.
Filter/Exclusion: Exclude processes initiated by user accounts with elevated privileges or known admin tools. Use process owner or command line to distinguish from malicious activity.
Scenario: Antivirus or Security Software Scan
Description: A security tool (e.g., Bitdefender, Kaspersky, or Windows Defender) uses javaw.exe for malware scanning or analysis in AppData.
Filter/Exclusion: Exclude processes with parent processes related to antivirus software (e.g., msseces.exe, bdagent.exe, or mfev.exe). Use parent process analysis to filter out legitimate security operations.
Scenario: Custom Script or Tool for Internal Use
Description: An internal tool or script (e.g., a custom Java-based reporting tool) is executed via javaw.exe in AppData by a trusted