Techniques
Sample rules
Suspicious Processes Spawned by Java.EXE
- source: sigma
- technicques:
Description
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Detection logic
condition: selection
selection:
Image|endswith:
- \AppVLP.exe
- \bitsadmin.exe
- \certutil.exe
- \cscript.exe
- \curl.exe
- \forfiles.exe
- \hh.exe
- \mftrace.exe
- \mshta.exe
- \net.exe
- \net1.exe
- \query.exe
- \reg.exe
- \regsvr32.exe
- \rundll32.exe
- \schtasks.exe
- \scrcons.exe
- \scriptrunner.exe
- \sh.exe
- \systeminfo.exe
- \whoami.exe
- \wmic.exe
- \wscript.exe
ParentImage|endswith: \java.exe
Shell Process Spawned by Java.EXE
- source: sigma
- technicques:
Description
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_build:
CommandLine|contains: build
ParentImage|contains: build
selection:
Image|endswith:
- \bash.exe
- \cmd.exe
- \powershell.exe
- \pwsh.exe
ParentImage|endswith: \java.exe