java-executing-cmd-to-run-powershell

Hunt Hypothesis

The hypothesis is that an adversary is using a Java process to execute a command that runs PowerShell to perform stealthy system reconnaissance or lateral movement. A SOC team should proactively hunt for this behavior in Azure Sentinel as it indicates potential botnet activity and could signal the initial compromise of a system by a sophisticated threat actor.

KQL Query

DeviceProcessEvents                         
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' 
and ProcessCommandLine has_all('powershell iex','DownloadString')

Analytic Rule Definition

id: 99a5a930-9ca6-440e-95f4-dfe23d217157
name: java-executing-cmd-to-run-powershell
description: |
  This query was originally published in the threat analytics report, Sysrv botnet evolution.
  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
  The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents                         
  | where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' 
  and ProcessCommandLine has_all('powershell iex','DownloadString')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/java-executing-cmd-to-run-powershell.yaml)

False Positive Guidance

Scenario: Scheduled Job Running PowerShell via Java for System Maintenance
Description: A legitimate scheduled job uses Java to execute a PowerShell script for system maintenance, such as log rotation or service restart.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" OR process.parent_process_path:"C:\\Windows\\System32\\schtasks.exe"
Scenario: Java-Based CI/CD Pipeline Invoking PowerShell for Deployment
Description: A Java-based CI/CD tool (e.g., Jenkins, GitLab CI) runs a PowerShell script to deploy an application or configure a server.
Filter/Exclusion: process.parent_process_name:"jenkins.exe" OR process.parent_process_name:"gitlab-runner.exe"
Scenario: Admin Using Java Tool to Run PowerShell for User Management
Description: An administrator uses a Java-based tool (e.g., a custom management console) to run PowerShell commands for user provisioning or group management.
Filter/Exclusion: process.parent_process_name:"CustomAdminTool.exe" OR process.parent_process_path:"C:\\Tools\\AdminConsole\\AdminConsole.exe"
Scenario: Java Application Using PowerShell for Log Parsing
Description: A Java application (e.g., a log analysis tool) uses PowerShell to parse and process log files for monitoring purposes.
Filter/Exclusion: process.name:"LogParser.exe" OR process.name:"log-analyzer.jar"
Scenario: Java-Based Monitoring Tool Invoking PowerShell for System Checks
Description: A Java-based monitoring tool (e.g., Nagios, Zabbix) runs PowerShell scripts to check system health, disk usage, or service status.
Filter/Exclusion: process.parent_process_name:"nagios.exe" OR process.parent_process_name:"zabbix_agentd.exe"