Java Executing cmd to run Powershell

Back


Id	2c81c0a0-9823-4a14-b21a-2b4acd3335d2
Rulename	Java Executing cmd to run Powershell
Description	This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
Severity	High
Tactics	Execution
Techniques	T1059
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml
Version	1.0.0
Arm template	2c81c0a0-9823-4a14-b21a-2b4acd3335d2.json

KQL

DeviceProcessEvents                         
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' 
and ProcessCommandLine has_all('powershell iex','DownloadString')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

YAML

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
kind: Scheduled
name: Java Executing cmd to run Powershell
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml
tactics:
- Execution
triggerThreshold: 0
version: 1.0.0
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
status: Available
description: |
  This query was originally published in the threat analytics report, Sysrv botnet evolution.
  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
  The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.  
tags:
- Sysrv
- Botnet
queryPeriod: 1h
severity: High
queryFrequency: 1h
relevantTechniques:
- T1059
id: 2c81c0a0-9823-4a14-b21a-2b4acd3335d2
triggerOperator: gt
query: |
  DeviceProcessEvents                         
  | where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' 
  and ProcessCommandLine has_all('powershell iex','DownloadString')
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
      "properties": {
        "alertRuleTemplateName": "2c81c0a0-9823-4a14-b21a-2b4acd3335d2",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, Sysrv botnet evolution.\nSysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.\nThe following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.\n",
        "displayName": "Java Executing cmd to run Powershell",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml",
        "query": "DeviceProcessEvents                         \n| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' \nand ProcessCommandLine has_all('powershell iex','DownloadString')\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "tags": [
          "Sysrv",
          "Botnet"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}