Shell Process Spawned by Java.EXE

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Sigma rule (View on GitHub)

 1title: Shell Process Spawned by Java.EXE
 2id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
 3related:
 4    - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
 5      type: similar
 6status: test
 7description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
 8references:
 9    - https://www.lunasec.io/docs/blog/log4j-zero-day/
10author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
11date: 2021/12/17
12modified: 2024/01/18
13tags:
14    - attack.initial_access
15    - attack.persistence
16    - attack.privilege_escalation
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        ParentImage|endswith: '\java.exe'
23        Image|endswith:
24            - '\bash.exe'
25            - '\cmd.exe'
26            - '\powershell.exe'
27            - '\pwsh.exe'
28    filter_main_build:
29        ParentImage|contains: 'build'  # excluding CI build agents
30        CommandLine|contains: 'build'  # excluding CI build agents
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Legitimate calls to system binaries
34    - Company specific internal usage
35level: medium

References

Related rules

to-top