Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Sigma rule (View on GitHub)
1title: Java Running with Remote Debugging
2id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
3status: test
4description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
5references:
6 - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
7author: Florian Roth (Nextron Systems)
8date: 2019-01-16
9modified: 2023-02-01
10tags:
11 - attack.t1203
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_jdwp_transport:
18 CommandLine|contains: 'transport=dt_socket,address='
19 selection_old_jvm_version:
20 CommandLine|contains:
21 - 'jre1.'
22 - 'jdk1.'
23 exclusion:
24 CommandLine|contains:
25 - 'address=127.0.0.1'
26 - 'address=localhost'
27 condition: all of selection_* and not exclusion
28fields:
29 - CommandLine
30 - ParentCommandLine
31falsepositives:
32 - Unknown
33level: medium
References
Related rules
- Audit CVE Event
- CVE-2021-26858 Exchange Exploitation
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist
- Droppers Exploiting CVE-2017-11882