Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Shell Process Spawned by Java.EXE

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Andreas Hunkeler, Nasreddine Bencherchali (Nextron Systems)Created Fri Dec 17Updated Thu Jan 18dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ParentImage|endswith: '\java.exe'
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_main_build:
        ParentImage|contains: 'build'  # excluding CI build agents
        CommandLine|contains: 'build'  # excluding CI build agents
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate calls to system binaries

Company specific internal usage

References
1
Resolving title…
web.archive.org
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Suspicious Processes Spawned by Java.EXE

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
Status
test
Level
medium
Type
Detection
Created
Fri Dec 17
Modified
Thu Jan 18
Author
Andreas Hunkeler, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml
Raw Tags
attack.initial-accessattack.persistenceattack.privilege-escalation
View on GitHub