StrRAT-AV-Discovery | SOC Hunt Feed

Hunt Hypothesis

The StrRAT-AV-Discovery rule detects potential adversary behavior involving the use of StrRAT, a remote access tool that may be used to exfiltrate data and execute additional malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by an adversary leveraging StrRAT for persistence and lateral movement.

KQL Query

DeviceProcessEvents
| where InitiatingProcessFileName in~("java.exe", "javaw.exe") and InitiatingProcessCommandLine has "roaming"
| where FileName == 'cmd.exe' and  ProcessCommandLine has 'path antivirusproduct get displayname'

Analytic Rule Definition

id: 7ea16edd-7acc-4817-a06d-0e845b4a7260
name: StrRAT-AV-Discovery
description: |
  StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Defense evasion
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName in~("java.exe", "javaw.exe") and InitiatingProcessCommandLine has "roaming"
  | where FileName == 'cmd.exe' and  ProcessCommandLine has 'path antivirusproduct get displayname'

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Defense evasion

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/StrRAT malware/StrRAT-AV-Discovery.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a Java-based utility for system diagnostics or patching.
Filter/Exclusion: process.name != "java" OR process.name != "javaw" or check for known maintenance tools like Microsoft System Center or WSUS.
Scenario: Admin Using Java-Based Management Tool
Description: An administrator uses a Java-based management tool (e.g., JConsole, JMeter, or Jenkins) to monitor or manage application servers.
Filter/Exclusion: process.name IN ("jconsole", "jmeter", "jenkins") or check for known admin tools in the process tree.
Scenario: Browser Plugin or Extension Execution
Description: A legitimate browser plugin or extension (e.g., Google Chrome or Firefox) uses Java to execute scripts or interact with web content.
Filter/Exclusion: process.name IN ("chrome", "firefox") or check for known browser extensions that use Java.
Scenario: Java-Based Reporting Tool Execution
Description: A Java-based reporting tool (e.g., Crystal Reports, JasperReports) is used to generate reports from a database.
Filter/Exclusion: process.name IN ("crystal", "jasper") or check for known reporting tools in the process tree.
Scenario: Java-Based Automation Script Execution
Description: A Java-based automation script (e.g., Apache Ant, Maven, or Gradle) is run as part of a CI/CD pipeline.
Filter/Exclusion: process.name IN ("ant", "maven", "gradle") or check for known CI/CD tools in the process tree.