Suspicious Java Children Processes
Detects java process spawning suspicious children
Sigma rule (View on GitHub)
1title: Suspicious Java Children Processes
2id: d292e0af-9a18-420c-9525-ec0ac3936892
3status: test
4description: Detects java process spawning suspicious children
5references:
6 - https://www.tecmint.com/different-types-of-linux-shells/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/03
9tags:
10 - attack.execution
11 - attack.t1059
12logsource:
13 category: process_creation
14 product: linux
15detection:
16 selection:
17 ParentImage|endswith: '/java'
18 CommandLine|contains:
19 - '/bin/sh'
20 - 'bash'
21 - 'dash'
22 - 'ksh'
23 - 'zsh'
24 - 'csh'
25 - 'fish'
26 - 'curl'
27 - 'wget'
28 - 'python'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
-
In this article, we shall take a look at some of the most frequently used open-source shells and their features on Unix/GNU Linux systems.
Read More
Related rules
- Atlassian Confluence CVE-2022-26134
- Azure New CloudShell Created
- BPFDoor Abnormal Process ID or Lock File Accessed
- Parent in Public Folder Suspicious Process
- Payload Decoded and Decrypted via Built-in Utilities