Adversaries may use Java-based payloads embedded in email attachments to establish remote access and maintain persistence across different operating systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Adwind RAT activity that leverages Java attachments for initial compromise.
KQL Query
let mailsHTML = EmailAttachmentInfo
| where FileType startswith "Jar"
| distinct NetworkMessageId;
EmailEvents
| where NetworkMessageId in (mailsHTML) and AttachmentCount > 0
id: 3a45afa5-e955-4bff-8876-a42934f3533f
name: jar-attachments
description: |
This query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact.
Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capabilities of the Java framework. It can check which operating system a target is running and adapt accordingly, allowing it to successfully compromise both Windows and macOS devices.
The query below must be run in Microsoft Defender XDR. This query detects events where a single Java archive, or JAR file, was attached to an incoming email. Since Adwind is distributed as a JAR file, this can help detect the initial access stage of a Adwind attack. Note that, although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar techniques. Also note that JAR attachments are not necessarily or even often malware, and that further research will be needed to determine if query results are associated with malicious behavior.
See Hiding a Java class file for an additional query that detects behavior associated with Adwind attacks.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
- EmailEvents
tactics:
- Initial access
query: |
let mailsHTML = EmailAttachmentInfo
| where FileType startswith "Jar"
| distinct NetworkMessageId;
EmailEvents
| where NetworkMessageId in (mailsHTML) and AttachmentCount > 0
| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate Java Application Deployment
Description: A system administrator is deploying a legitimate Java-based application (e.g., Jenkins, Jira, or a custom Java service) via an email attachment.
Filter/Exclusion: process.name != "java" OR file.name contains "jenkins" OR file.name contains "jira"
Scenario: Scheduled Java Job Execution
Description: A scheduled job (e.g., using cron or Windows Task Scheduler) runs a Java-based script (e.g., Apache NiFi, Talend, or a custom ETL tool) that is flagged as a potential attachment.
Filter/Exclusion: process.name contains "nifi" OR process.name contains "talend" OR process.name contains "etl"
Scenario: Admin Using Java for System Monitoring
Description: An admin is using a Java-based monitoring tool (e.g., Prometheus with Java exporters, or Grafana with Java plugins) that is mistakenly flagged as an attachment.
Filter/Exclusion: process.name contains "prometheus" OR process.name contains "grafana" OR process.name contains "exporter"
Scenario: Email with Encrypted Java Archive (JAR) for Code Signing
Description: A developer sends an encrypted JAR file (e.g., for code signing or deployment) via email, which is flagged due to the JAR file extension.
Filter/Exclusion: file.name contains "code-signing" OR file.name contains "encrypted" OR file.name contains "signing"
Scenario: Java-based Reporting Tool Usage
Description: A user is running a Java-based reporting tool (e.g., JasperReports, Pentaho, or Talend Reporting) that is flagged due to the presence of a JAR file in the attachment.