heroui logo

Suspicious Shells Spawn by Java Utility Keytool

Sigma Rules

View Source
Summary
This detection rule identifies potentially malicious behavior by monitoring process creation events on Windows systems. It specifically looks for instances where command-line utilities are spawned as child processes of 'keytool.exe', a Java utility that is often used for managing keystores and certificates. The rule is particularly attuned to detect exploitation scenarios related to CVE-2021-40539 affecting ManageEngine's AD SelfService Plus, where attackers may leverage 'keytool' to execute additional shell commands via known utilities such as 'cmd.exe', 'powershell.exe', 'bash.exe', and others. Several command-line tools are included to broaden the detection surface against shell-like executions originating from the Java keytool, which could signal initial access, persistence, or privilege escalation attacks. By adding multiple known shells and script execution utilities to the watchlist, this rule enhances the detection of this specific tactic employed by adversaries.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Application Log
Created: 2021-12-22