heroui logo

Suspicious Processes Spawned by Java.EXE

Sigma Rules

View Source
Summary
This detection rule identifies suspicious processes that are spawned from a Java host process, specifically targeting Windows environments. The rule monitors process creations where the parent image is 'java.exe' and checks if the spawned process ends with specific names. These names include common system binaries and utilities that can be misused for exploitation. The rule serves as an important indicator of potential exploitation scenarios, particularly those involving the Log4j vulnerability, which became notorious in late 2021. By tracking these suspicious children of the Java process, security teams can better detect when legitimate Java applications are being leveraged for malicious activities. It is essential to note that while this rule is high in severity, it may produce false positives due to legitimate system operations and internal organizational practices. Thus, appropriate context and further investigation are recommended for any alerts generated by this rule.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2021-12-17