Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Sigma rule (View on GitHub)
1title: Java Running with Remote Debugging
2id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
3status: test
4description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
5references:
6 - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
7author: Florian Roth (Nextron Systems)
8date: 2019/01/16
9modified: 2023/02/01
10tags:
11 - attack.t1203
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_jdwp_transport:
18 CommandLine|contains: 'transport=dt_socket,address='
19 selection_old_jvm_version:
20 CommandLine|contains:
21 - 'jre1.'
22 - 'jdk1.'
23 exclusion:
24 CommandLine|contains:
25 - 'address=127.0.0.1'
26 - 'address=localhost'
27 condition: all of selection_* and not exclusion
28fields:
29 - CommandLine
30 - ParentCommandLine
31falsepositives:
32 - Unknown
33level: medium
References
-
This article takes a look at remotely debugging Java apps with JDWP and presents several scenarios for configuring the debugger.
Read More
Related rules
- Antivirus Exploitation Framework Detection
- Suspicious HWP Sub Processes
- Detection of PowerShell Execution via Sqlps.exe
- Invoke-Obfuscation Obfuscated IEX Invocation
- MMC20 Lateral Movement