Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

  1[metadata]
  2creation_date = "2026/02/02"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
 11This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
 12deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
 13SQLite extensions and achieve remote code execution.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.library-*", "logs-endpoint.events.process-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, validate the guidance and adapt it to your environment and operational requirements.
 24
 25### Investigating Suspicious SolarWinds Web Help Desk Java Module Load or Child Process"
 26
 27SolarWinds Web Help Desk is a Java-based, internet-facing application commonly deployed on Windows servers.
 28Recent vulnerabilities (CVE-2025-40536, CVE-2025-40551) allow unauthenticated attackers to exploit unsafe
 29deserialization and abuse SQLite extension loading to execute arbitrary native code within the Java process.
 30
 31This rule detects suspicious native module (DLL) loads by the Web Help Desk Java process, as well as
 32post-exploitation child process execution, both of which are strong indicators of successful exploitation.
 33
 34### Possible investigation steps
 35
 36- Review the **process executable path** to confirm the activity originated from the Web Help Desk Java runtime (e.g., `WebHelpDesk\\jre\\bin\\java.exe`).
 37- Examine the **loaded DLL path**:
 38  - Pay special attention to DLLs loaded from UNC paths (e.g., `\\<IP>\\share\\*.dll`) or temporary directories.
 39  - Validate whether the DLL is unsigned or has an untrusted code signature.
 40- Review **network telemetry** around the time of the alert for outbound SMB connections (TCP 445) originating from the Java process.
 41- If a child process was spawned (e.g., `cmd.exe`, `powershell.exe`, `rundll32.exe`):
 42  - Inspect command-line arguments for evidence of payload execution, staging, or persistence.
 43- Check system logs for additional indicators of compromise, including scheduled task creation, service installation, or persistence mechanisms.
 44- Determine the Web Help Desk version in use and confirm whether security patches addressing the relevant CVEs have been applied.
 45
 46### False positive analysis
 47
 48- Legitimate Web Help Desk installations typically do not load arbitrary native extensions at runtime. False positives are expected to be rare.
 49- Custom integrations or troubleshooting activities that involve native JDBC extensions could trigger this rule. Validate whether such behavior is expected in your environment.
 50- Security software or backup agents interacting with Java processes may occasionally load signed native libraries; verify the DLL origin and signature before dismissing the alert.
 51
 52### Response and remediation
 53
 54- Treat this alert as a **high-confidence compromise indicator** if the DLL is untrusted or loaded from a remote path.
 55- Isolate the affected host to prevent further lateral movement or payload staging.
 56- Terminate suspicious child processes and capture memory artifacts if possible for forensic analysis.
 57- Remove any malicious files identified on disk and review persistence mechanisms.
 58- Apply the latest SolarWinds Web Help Desk security updates addressing CVE-2025-40536 and CVE-2025-40551.
 59- Conduct a broader environment sweep to identify other potentially vulnerable or compromised Web Help Desk instances.
 60- Escalate the incident to the security operations or incident response team for full containment and remediation."""
 61references = [
 62    "https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/",
 63    "https://github.com/rapid7/metasploit-framework/pull/20917",
 64]
 65risk_score = 73
 66rule_id = "a4f7a295-aba1-4382-9c00-f7b02097acbc"
 67severity = "high"
 68tags = [
 69    "Domain: Endpoint",
 70    "OS: Windows",
 71    "Use Case: Threat Detection",
 72    "Tactic: Initial Access",
 73    "Use Case: Vulnerability",
 74    "Data Source: Elastic Defend",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81any where host.os.type == "windows" and
 82(
 83 (event.category == "library" and
 84  process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
 85  (dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
 86
 87 (event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
 88  process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
 89)
 90'''
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1190"
 97name = "Exploit Public-Facing Application"
 98reference = "https://attack.mitre.org/techniques/T1190/"
 99
100
101[rule.threat.tactic]
102id = "TA0001"
103name = "Initial Access"
104reference = "https://attack.mitre.org/tactics/TA0001/"