Detections identify a suspicious sequence where a javaw.exe process is created or modified from a user-writable directory (e.g., Users, ProgramData, Windows Temp) and immediately launches a Java payload via -jar or -cp/-classpath. This is followed by a DNS lookup from the same process. The pattern is characteristic of adversaries dropping Java-based payloads into user-controlled locations to evade native Windows binary application controls and then contacting external infrastructure for command and control. The rule correlates a process launch with an ensuing network lookup within a short window to reduce noise and highlight exploit-like behavior related to Java payloads and DNS-based C2. The detection logic is implemented as a sequence by process.entity_id with a max span of 1 minute and a subsequent network event indicating a DNS lookup from the same process, signaling possible staged execution and external beaconing.