JavaDeploymentToolkit | SOC Hunt Feed

Hunt Hypothesis

The JavaDeploymentToolkit rule detects potential adversary use of a Java-based deployment tool to execute malicious payloads or establish persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise attempts that may evade traditional detection methods.

YARA Rule

rule JavaDeploymentToolkit
{
   meta:
      ref = "CVE-2010-0887"
      impact = 7
      author = "@d3t0n4t0r"
   strings:
      $cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
      $cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
      $cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
      $cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
      $cve20100887_5 = "document.body.appendChild(" nocase fullword
      $cve20100887_6 = "launch("
      $cve20100887_7 = "-J-jar -J" nocase fullword
   condition:
      3 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Deployment of Java Runtime Environment (JRE) via a standard enterprise update process
Filter/Exclusion: process.name != "java.exe" && process.name != "javaw.exe" or check for process.parent.name == "setup.exe" or process.parent.name == "msiexec.exe"
Scenario: Scheduled Java-based maintenance tasks (e.g., using java -jar maintenance-tool.jar)
Filter/Exclusion: process.name == "java.exe" && process.args contains "maintenance-tool.jar" or use process.parent.name == "task scheduler" or process.parent.name == "schtasks.exe"
Scenario: Java-based application used for internal reporting (e.g., JasperReports or Pentaho)
Filter/Exclusion: process.name == "java.exe" && process.args contains "reporting-tool.jar" or process.args contains "pentaho" or process.args contains "jasper"
Scenario: Java-based build tool (e.g., Maven or Gradle) running as part of CI/CD pipeline
Filter/Exclusion: process.name == "java.exe" && process.args contains "mvn" || process.args contains "gradle" or check for process.parent.name == "jenkins.exe" or process.parent.name == "azure-pipelines.exe"
Scenario: Java-based monitoring or logging tool (e.g., Log4j, ELK stack components)
Filter/Exclusion: process.name == "java.exe" && process.args contains "log4j" || process.args contains "elasticsearch" || process.args contains "logstash" or check for process.parent.name == "systemd" || process.parent.name == "docker"