Suspicious process event creation from VMWare Horizon TomcatService

Hunt Hypothesis

A malicious actor may be using the ws_TomcatService.exe process from VMware Horizon to execute arbitrary code and establish persistence within the environment. SOC teams should proactively hunt for this behavior as it indicates potential exploitation of the Log4J vulnerability to escalate privileges and deploy malware.

KQL Query

DeviceProcessEvents
| where InitiatingProcessFileName has "ws_TomcatService.exe"
| where FileName != "repadmin.exe"

Analytic Rule Definition

id: afa7c7b7-7d1f-4898-9daf-b35500ff8f2f
name: Suspicious process event creation from VMWare Horizon TomcatService
description: |
  Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing the ws_TomcatService.exe process to launch malicious processes.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
- Vulnerability
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName has "ws_TomcatService.exe"
  | where FileName != "repadmin.exe"

Required Data Sources

MITRE ATT&CK Context

• Tactic: Execution
• Tactic: Vulnerability

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Suspicious process event creation from VMWare Horizon TomcatService.yaml)

False Positive Guidance

• Scenario: Legitimate Tomcat Service Restart via Scheduled Task
  Description: A system administrator uses a scheduled task to restart the Tomcat service, which is hosted on VMware Horizon, triggering the rule.
  Filter/Exclusion: ProcessName != "ws_TomcatService.exe" OR ParentProcessName == "schtasks.exe"

• Scenario: VMware Horizon VM Reconfiguration via PowerShell
  Description: An admin uses PowerShell to reconfigure a VMware Horizon VM, which may involve process creation that matches the rule’s signature.
  Filter/Exclusion: ProcessName != "ws_TomcatService.exe" OR CommandLine contains "PowerShell.exe"

• Scenario: Log4J Patching Tool Execution
  Description: A security tool is used to patch the Log4J vulnerability, and it spawns a process that resembles malicious activity.
  Filter/Exclusion: ProcessName contains "log4j-patcher.exe" OR CommandLine contains "log4j-patch"

• Scenario: System Update via Group Policy Client
  Description: A system update is initiated via Group Policy, which may involve process creation that triggers the rule.
  Filter/Exclusion: ProcessName != "ws_TomcatService.exe" OR CommandLine contains "gpupdate.exe"

• Scenario: VMware Horizon Agent Maintenance Task
  Description: A maintenance task related to the VMware Horizon Agent is executed, which may involve process creation that matches the rule.
  Filter/Exclusion: ProcessName contains "vmware-horizon-agent.exe" OR CommandLine contains "maintenance-task"