The StrRAT-Email-Delivery rule detects potential email-based delivery of the StrRAT remote access tool, which adversaries use to establish persistence and exfiltrate sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
KQL Query
EmailUrlInfo
| where UrlDomain has_any ('metroscaffingltg.co.uk',
'pg-finacesolutions.co.uk',
'jpfletcherconsultancy.co.uk',
'buildersworlinc.co.uk',
'bentlyconstbuild.co.uk',
'alfredoscafeltd.co.uk',
'zincocorporation.co.uk',
'playerscircleinc.co.uk',
'tg-cranedinc.co.uk',
'adamridley.co.uk',
'westcoasttrustedtaxis.co.uk',
'sivospremiumclub.co.uk',
'gossyexperience.co.uk',
'jeffersonsandc.co.uk',
'fillinaresortsltd.co.uk',
'tk-consultancyltd.co.uk')
id: 3661b3e6-be67-41af-a0c1-fa7c012f1233
name: StrRAT-Email-Delivery
description: |
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
tactics:
- Initial access
query: |
EmailUrlInfo
| where UrlDomain has_any ('metroscaffingltg.co.uk',
'pg-finacesolutions.co.uk',
'jpfletcherconsultancy.co.uk',
'buildersworlinc.co.uk',
'bentlyconstbuild.co.uk',
'alfredoscafeltd.co.uk',
'zincocorporation.co.uk',
'playerscircleinc.co.uk',
'tg-cranedinc.co.uk',
'adamridley.co.uk',
'westcoasttrustedtaxis.co.uk',
'sivospremiumclub.co.uk',
'gossyexperience.co.uk',
'jeffersonsandc.co.uk',
'fillinaresortsltd.co.uk',
'tk-consultancyltd.co.uk')
| Sentinel Table | Notes |
|---|---|
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate Email Client Sending Attachments
Description: A user is sending an email with a .jar file attachment using a legitimate email client like Microsoft Outlook or Mozilla Thunderbird. This could trigger the rule because .jar files are often associated with Java-based malware.
Filter/Exclusion: email_client = outlook OR email_client = thunderbird OR attachment_type = legitimate_attachment
Scenario: Scheduled Job Running Java Script
Description: A system administrator is running a scheduled job using a tool like cron or Task Scheduler that executes a Java script (.jar) for automated reporting or data processing.
Filter/Exclusion: process_name = java AND command_line LIKE '%cron%' OR command_line LIKE '%task scheduler%'
Scenario: Admin Using Java-Based Monitoring Tool
Description: An admin is using a legitimate Java-based monitoring tool like Nagios or Zabbix to monitor system performance, which may involve executing .jar files.
Filter/Exclusion: process_name = nagios OR process_name = zabbix OR process_name = java AND command_line LIKE '%monitor%'
Scenario: User Downloading Java-Based Application
Description: A user is downloading a Java-based application like Jenkins or Eclipse from a trusted repository, which may involve a .jar file.
Filter/Exclusion: download_source = trusted_repo OR file_name LIKE '%jenkins%' OR file_name LIKE '%eclipse%'
Scenario: Java-Based Automation Script Execution
Description: A developer is running a Java-based automation script using a tool like Jenkins or Apache Ant, which may involve executing .jar files as part of a CI/CD