The hypothesis is that an adversary is leveraging Oracle WebLogic to execute PowerShell commands as part of a botnet operation to steal resources for cryptocurrency mining. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Sysrv botnet activity early in the attack lifecycle.
KQL Query
union DeviceProcessEvents, DeviceFileEvents
| where InitiatingProcessParentFileName =~ 'wlsvcX64.exe' and InitiatingProcessFileName =~ 'powershell.exe'
id: 2397f77e-e33e-4658-9a81-fe9dbafb810d
name: oracle-webLogic-executing-powershell
description: |
This query was originally published in the threat analytics report, Sysrv botnet evolution.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of Oracle WebLogic being exploited to run a PowerShell script that downloads payloads.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceFileEvents
query: |
union DeviceProcessEvents, DeviceFileEvents
| where InitiatingProcessParentFileName =~ 'wlsvcX64.exe' and InitiatingProcessFileName =~ 'powershell.exe'
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled PowerShell Jobs for System Maintenance
Description: An administrator schedules a legitimate PowerShell job using schtasks or Task Scheduler to perform routine system maintenance, such as log rotation or disk cleanup.
Filter/Exclusion: Check the command line arguments for powershell.exe using CommandLine field. Exclude jobs that include schtasks.exe, Task Scheduler, or known maintenance scripts (e.g., Cleanup-Log.ps1).
Scenario: Admin Using PowerShell for Configuration Management
Description: A system administrator uses PowerShell to configure Oracle WebLogic Server settings, such as updating JVM parameters or applying patches.
Filter/Exclusion: Filter by ProcessName to exclude powershell.exe when the parent process is a known administrative tool (e.g., wsadmin, java.exe with -Dweblogic.Name).
Scenario: Oracle WebLogic Server Scheduled Job Execution
Description: The WebLogic Server itself runs a scheduled job (e.g., wlst.sh or wlst.py) to perform automated tasks like backup or monitoring.
Filter/Exclusion: Check the ProcessParent field to ensure the parent process is a known WebLogic service (e.g., java.exe with -Dweblogic.Name or nodemanager).
Scenario: PowerShell Script for Patch Deployment
Description: A security team deploys a PowerShell script via a centralized management tool (e.g., Microsoft Intune or SCCM) to apply patches to multiple WebLogic servers.
Filter/Exclusion: Use the SourceIP or User field to exclude scripts executed from internal security management systems (e.g., 10.0.0.1 or [email protected]).
Scenario: PowerShell for Log Analysis or Monitoring