Java Executing cmd to run Powershell
Id | 2c81c0a0-9823-4a14-b21a-2b4acd3335d2 |
Rulename | Java Executing cmd to run Powershell |
Description | This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script. |
Severity | High |
Tactics | Execution |
Techniques | T1059 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml |
Version | 1.0.0 |
Arm template | 2c81c0a0-9823-4a14-b21a-2b4acd3335d2.json |
DeviceProcessEvents
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe'
and ProcessCommandLine has_all('powershell iex','DownloadString')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
query: |
DeviceProcessEvents
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe'
and ProcessCommandLine has_all('powershell iex','DownloadString')
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
queryPeriod: 1h
queryFrequency: 1h
status: Available
id: 2c81c0a0-9823-4a14-b21a-2b4acd3335d2
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
relevantTechniques:
- T1059
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
name: Java Executing cmd to run Powershell
description: |
This query was originally published in the threat analytics report, Sysrv botnet evolution.
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
tactics:
- Execution
tags:
- Sysrv
- Botnet
severity: High
triggerThreshold: 0
version: 1.0.0
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c81c0a0-9823-4a14-b21a-2b4acd3335d2')]",
"properties": {
"alertRuleTemplateName": "2c81c0a0-9823-4a14-b21a-2b4acd3335d2",
"customDetails": null,
"description": "This query was originally published in the threat analytics report, Sysrv botnet evolution.\nSysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.\nThe following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.\n",
"displayName": "Java Executing cmd to run Powershell",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml",
"query": "DeviceProcessEvents \n| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' \nand ProcessCommandLine has_all('powershell iex','DownloadString')\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"Sysrv",
"Botnet"
],
"techniques": [
"T1059"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}