Java Executing cmd to run Powershell

Back


Id	2c81c0a0-9823-4a14-b21a-2b4acd3335d2
Rulename	Java Executing cmd to run Powershell
Description	This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
Severity	High
Tactics	Execution
Techniques	T1059
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml
Version	1.0.0
Arm template	2c81c0a0-9823-4a14-b21a-2b4acd3335d2.json

KQL

DeviceProcessEvents                         
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' 
and ProcessCommandLine has_all('powershell iex','DownloadString')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

YAML

triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
queryPeriod: 1h
id: 2c81c0a0-9823-4a14-b21a-2b4acd3335d2
relevantTechniques:
- T1059
triggerOperator: gt
name: Java Executing cmd to run Powershell
description: |
  This query was originally published in the threat analytics report, Sysrv botnet evolution.
  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
  The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.  
status: Available
query: |
  DeviceProcessEvents                         
  | where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' 
  and ProcessCommandLine has_all('powershell iex','DownloadString')
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml
severity: High
queryFrequency: 1h
tags:
- Sysrv
- Botnet
tactics:
- Execution

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
      "properties": {
        "alertRuleTemplateName": "2c81c0a0-9823-4a14-b21a-2b4acd3335d2",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, Sysrv botnet evolution.\nSysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.\nThe following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.\n",
        "displayName": "Java Executing cmd to run Powershell",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml",
        "query": "DeviceProcessEvents                         \n| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' \nand ProcessCommandLine has_all('powershell iex','DownloadString')\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "tags": [
          "Sysrv",
          "Botnet"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}