← Back to SOC feed Coverage →

Suspicious Processes Spawned by Java.EXE

sigma HIGH SigmaHQ
imProcessCreate
exploit
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-10T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Detection Rule

Sigma (Original)

title: Suspicious Processes Spawned by Java.EXE
id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
related:
    - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
      type: similar
status: test
description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Florian Roth
date: 2021-12-17
modified: 2024-01-18
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\java.exe'
        Image|endswith:
            - '\AppVLP.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cscript.exe'
            - '\curl.exe'
            - '\forfiles.exe'
            - '\hh.exe'
            - '\mftrace.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\query.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\scrcons.exe'
            - '\scriptrunner.exe'
            - '\sh.exe'
            - '\systeminfo.exe'
            - '\whoami.exe'
            - '\wmic.exe'        # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Legitimate calls to system binaries
    - Company specific internal usage
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\java.exe" or ActingProcessName endswith "\\java.exe") and (TargetProcessName endswith "\\AppVLP.exe" or TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\curl.exe" or TargetProcessName endswith "\\forfiles.exe" or TargetProcessName endswith "\\hh.exe" or TargetProcessName endswith "\\mftrace.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe" or TargetProcessName endswith "\\query.exe" or TargetProcessName endswith "\\reg.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\scrcons.exe" or TargetProcessName endswith "\\scriptrunner.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\systeminfo.exe" or TargetProcessName endswith "\\whoami.exe" or TargetProcessName endswith "\\wmic.exe" or TargetProcessName endswith "\\wscript.exe")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml