Shell Process Spawned by Java.EXE

Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation ·

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Sigma rule (View on GitHub)

 1title: Shell Process Spawned by Java.EXE
 2id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
 3related:
 4    - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
 5      type: similar
 6status: test
 7description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
 8references:
 9    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
10author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
11date: 2021-12-17
12modified: 2024-01-18
13tags:
14    - attack.initial-access
15    - attack.persistence
16    - attack.privilege-escalation
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        ParentImage|endswith: '\java.exe'
23        Image|endswith:
24            - '\bash.exe'
25            - '\cmd.exe'
26            - '\powershell.exe'
27            - '\pwsh.exe'
28    filter_main_build:
29        ParentImage|contains: 'build'  # excluding CI build agents
30        CommandLine|contains: 'build'  # excluding CI build agents
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Legitimate calls to system binaries
34    - Company specific internal usage
35level: medium

References

Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaTrace

Given how ubiquitous log4j is, the impact of this vulnerability is quite severe. Learn how to fix Log4Shell, why it's bad, and what a working exploit requires in this post.

Read More

Shell Process Spawned by Java.EXE

Sigma rule (View on GitHub)

References

Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaTrace

Related rules