This detection rule identifies suspicious outbound network connections initiated by Java processes targeting LDAP, RMI, or DNS standard ports, followed closely by the execution of atypical Java child processes. Such activities suggest potential exploitation of vulnerabilities within Java through Java Naming and Directory Interface (JNDI) injection, allowing adversaries to trigger remote code execution (RCE). The rule is designed to capture sequences indicating these connections, with a defined time span and process relationship, thereby enabling prompt identification of potential compromises. Triage and analysis steps provided in the rule assist analysts in investigating detected incidents, including verifying the legitimacy of outbound requests and analyzing any correlated suspicious child processes. The higher risk score assigned to this rule underlines its significance in threat detection against acts of exploitation against Java applications.