Java Executing cmd to run Powershell
| Id | 2c81c0a0-9823-4a14-b21a-2b4acd3335d2 |
| Rulename | Java Executing cmd to run Powershell |
| Description | This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script. |
| Severity | High |
| Tactics | Execution |
| Techniques | T1059 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml |
| Version | 1.0.0 |
| Arm template | 2c81c0a0-9823-4a14-b21a-2b4acd3335d2.json |
DeviceProcessEvents
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe'
and ProcessCommandLine has_all('powershell iex','DownloadString')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
query: |
DeviceProcessEvents
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe'
and ProcessCommandLine has_all('powershell iex','DownloadString')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
version: 1.0.0
kind: Scheduled
tactics:
- Execution
triggerOperator: gt
tags:
- Sysrv
- Botnet
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1059
id: 2c81c0a0-9823-4a14-b21a-2b4acd3335d2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml
description: |
This query was originally published in the threat analytics report, Sysrv botnet evolution.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
name: Java Executing cmd to run Powershell
queryPeriod: 1h
severity: High
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
"properties": {
"alertRuleTemplateName": "2c81c0a0-9823-4a14-b21a-2b4acd3335d2",
"customDetails": null,
"description": "This query was originally published in the threat analytics report, Sysrv botnet evolution.\nSysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.\nThe following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.\n",
"displayName": "Java Executing cmd to run Powershell",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml",
"query": "DeviceProcessEvents \n| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' \nand ProcessCommandLine has_all('powershell iex','DownloadString')\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"Sysrv",
"Botnet"
],
"techniques": [
"T1059"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}