Java Dropped and Executed With DNS Lookup

  1[metadata]
  2creation_date = "2026/06/21"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/06/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a recently dropped or modified javaw.exe process started from a user-writable path to run a JAR or Java
 11classpath application, followed by a DNS lookup. Adversaries may drop Java payloads into user directories and execute
 12them immediately to establish command and control while evading application control focused on native Windows
 13binaries.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Java Dropped and Executed With DNS Lookup"
 20note = """## Triage and analysis
 21
 22### Investigating Java Dropped and Executed With DNS Lookup
 23
 24This rule correlates a recently created or modified `javaw.exe` launch from `Users`, `ProgramData`, or `Windows\\Temp` with an immediate
 25DNS lookup from the same process. Attackers often drop JAR-based payloads to user-writable locations and invoke them
 26with `-jar` or `-cp`/`-classpath` to blend in with legitimate Java usage while reaching out to command and control
 27infrastructure.
 28
 29#### Possible investigation steps
 30
 31- Review `process.executable`, `process.command_line`, and `process.args` to identify the JAR or classpath target and
 32  whether the path is user-writable or unexpected for the host role.
 33- Inspect `process.Ext.relative_file_creation_time` and `process.Ext.relative_file_name_modify_time` to confirm the
 34  binary or payload was staged immediately before execution.
 35- Examine the parent process tree for download, archive extraction, or script activity that may have dropped the JAR
 36  or `javaw.exe`.
 37- Pivot on the DNS event for `dns.question.name`, `dns.resolved_ip`, and any follow-on connection attempts from the
 38  same `process.entity_id`.
 39- Check code signature details for `javaw.exe` and any referenced JAR files when file telemetry is available.
 40- Hunt for the same JAR hash, command line, or queried domain on other hosts.
 41
 42### False positive analysis
 43
 44- Developer workflows, local Java applications, and enterprise tools may run freshly updated JARs from user profiles or
 45  `ProgramData`. Validate the JAR path, signer, parent process, and queried domain against known software before
 46  closing as benign.
 47- Some installers or updaters drop a private JRE under `ProgramData` and launch JAR utilities during setup. Confirm the
 48  activity aligns with a known deployment or update window.
 49
 50### Response and remediation
 51
 52- Isolate the host if the JAR, domain, or parent activity appears malicious.
 53- Quarantine the dropped JAR, related Java runtime files, and any staging artifacts identified in the process tree.
 54- Block malicious domains or IPs at DNS and network enforcement points.
 55- Reset credentials for accounts active on the host during the suspicious session if follow-on activity is observed."""
 56risk_score = 47
 57rule_id = "80d7f4ef-c3b6-4466-80f4-805bdd10507d"
 58severity = "medium"
 59tags = [
 60    "Domain: Endpoint",
 61    "OS: Windows",
 62    "Use Case: Threat Detection",
 63    "Tactic: Execution",
 64    "Tactic: Command and Control",
 65    "Data Source: Elastic Defend",
 66    "Resources: Investigation Guide",
 67]
 68timestamp_override = "event.ingested"
 69type = "eql"
 70
 71query = '''
 72sequence by process.entity_id with maxspan=1m
 73 [process where host.os.type == "windows" and event.action == "start" and
 74  (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and
 75  (process.name : "javaw.exe" or process.pe.original_file_name == "javaw.exe") and process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and user.id != "S-1-5-18" and
 76  (
 77   (process.args_count == 3 and process.args : "-jar") or
 78   (process.args_count == 4 and process.args : ("-cp", "-classpath") and process.command_line : " *.* ")
 79  )]
 80 [network where host.os.type == "windows" and event.action: "lookup_requested"]
 81'''
 82
 83
 84[rule.investigation_fields]
 85field_names = [
 86    "@timestamp",
 87    "host.id",
 88    "user.id",
 89    "process.entity_id",
 90    "process.executable",
 91    "process.parent.executable"
 92]
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96
 97[[rule.threat.technique]]
 98id = "T1204"
 99name = "User Execution"
100reference = "https://attack.mitre.org/techniques/T1204/"
101
102[[rule.threat.technique.subtechnique]]
103id = "T1204.002"
104name = "Malicious File"
105reference = "https://attack.mitre.org/techniques/T1204/002/"
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114
115[[rule.threat.technique]]
116id = "T1105"
117name = "Ingress Tool Transfer"
118reference = "https://attack.mitre.org/techniques/T1105/"
119
120[[rule.threat.technique]]
121id = "T1071"
122name = "Application Layer Protocol"
123reference = "https://attack.mitre.org/techniques/T1071/"
124
125[rule.threat.tactic]
126id = "TA0011"
127name = "Command and Control"
128reference = "https://attack.mitre.org/tactics/TA0011/"