Adversaries may be using Java class files to execute malicious code across different platforms, leveraging the cross-platform capabilities of Java to maintain persistence and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Adwind RAT activity and prevent lateral movement and data exfiltration.
KQL Query
union DeviceFileEvents, DeviceProcessEvents
| where ProcessCommandLine has "attrib +h +s +r "
and ProcessCommandLine contains ".class"
id: c5196191-609a-407f-a623-f37785eca019
name: hiding-java-class-file
description: |
This query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact.
Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capabilities of the Java framework. It can check which operating system a target is running and adapt accordingly, allowing it to successfully compromise both Windows and macOS devices.
The query below checks for attempts to disguise Java class files (i.e., complied code with a .class extension). Although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar defense evasion techniques.
See Detecting a JAR attachment for an additional query that detects behavior associated with Adwind attacks.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
tactics:
- Defense evasion
query: |
union DeviceFileEvents, DeviceProcessEvents
| where ProcessCommandLine has "attrib +h +s +r "
and ProcessCommandLine contains ".class"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Java-based application deployment
Description: A legitimate Java application is being deployed using a script that generates or manipulates .class files.
Filter/Exclusion: process.name != "java" OR process.args NOT LIKE '%-jar%' OR process.args NOT LIKE '%-cp%'
Scenario: Scheduled Java job execution
Description: A system administrator schedules a Java-based job (e.g., using cron or Windows Task Scheduler) that processes .class files as part of a regular maintenance task.
Filter/Exclusion: process.name != "java" OR process.args NOT LIKE '%-Djava.util.logging.config.file%'
Scenario: Java bytecode analysis tool usage
Description: A security analyst is using a tool like javap or JD-GUI to analyze or decompile Java class files for debugging or code review.
Filter/Exclusion: process.name != "javap" OR process.name != "jd-gui"
Scenario: Java-based configuration management tool
Description: A configuration management tool like Ansible or Puppet uses Java-based modules to manage system configurations, which may involve .class files.
Filter/Exclusion: process.name != "ansible" OR process.name != "puppet" OR process.args NOT LIKE '%--module%'
Scenario: Java-based logging or monitoring tool
Description: A monitoring tool like Prometheus or Grafana (with Java plugins) may generate or process .class files during setup or configuration.
Filter/Exclusion: process.name != "prometheus" OR process.name != "grafana-server" OR process.args NOT LIKE '%--config%'