Suspicious Processes Spawned by Java.EXE
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Sigma rule (View on GitHub)
1title: Suspicious Processes Spawned by Java.EXE
2id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
3related:
4 - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
5 type: similar
6status: experimental
7description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
8author: Andreas Hunkeler (@Karneades), Florian Roth
9date: 2021/12/17
10modified: 2023/11/09
11tags:
12 - attack.initial_access
13 - attack.persistence
14 - attack.privilege_escalation
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\java.exe'
21 Image|endswith:
22 - '\AppVLP.exe'
23 - '\bash.exe'
24 - '\bitsadmin.exe'
25 - '\certutil.exe'
26 - '\cscript.exe'
27 - '\curl.exe'
28 - '\forfiles.exe'
29 - '\hh.exe'
30 - '\mftrace.exe'
31 - '\mshta.exe'
32 - '\net.exe'
33 - '\net1.exe'
34 - '\query.exe'
35 - '\reg.exe'
36 - '\regsvr32.exe'
37 - '\rundll32.exe'
38 - '\schtasks.exe'
39 - '\scrcons.exe'
40 - '\scriptrunner.exe'
41 - '\sh.exe'
42 - '\systeminfo.exe'
43 - '\whoami.exe'
44 - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
45 - '\wscript.exe'
46 condition: selection
47falsepositives:
48 - Legitimate calls to system binaries
49 - Company specific internal usage
50level: high
Related rules
- Shell Process Spawned by Java.EXE
- Impossible Travel
- Password Provided In Command Line Of Net.EXE
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow