Shell process created by Java application

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1190-exploit-public-facing-application

What happened

{{#is_exact_match “case_name” “confluence_server_spawned_shell_potential_rce”}}A Confluence server executed the command {{ @process.comm }}. The server may be vulnerable to one of several well-known remote-code execution (RCE) exploits.{{/is_exact_match}} {{#is_exact_match “case_name” “java_shell_execution_known_bad”}}A Java application executed the command {{ @process.comm }} with arguments associated with malicious behavior. This activity should never be executed legitimately.{{/is_exact_match}} {{#is_exact_match “case_name” “java_shell_execution_unusual”}}A Java application executed the command {{ @process.comm }} which is unusual. Review the process tree and associated process arguments.{{/is_exact_match}} {{#is_exact_match “case_name” “java_shell_execution_suspicious”}}A Java application executed the command {{ @process.comm }} which is suspicious. Review the process tree and associated process arguments.{{/is_exact_match}} {{#is_exact_match “case_name” “java_shell_execution”}}A Java process executed the command {{ @process.comm }} which may indicate the service is vulnerable to remote code execution (RCE).{{/is_exact_match}}

Goal

Detect attackers taking advantage of a flaw in a Java application to execute commands.

Strategy

This detection monitors process executions and generates a signal when a process is spawned from Java. The severity of the signal is based on how closely the activity aligns with known malicious behavior.

Triage and response

  • Java applications have a variety of uses. Determine the nature and purpose of the service.
  • Determine whether there is an approved purpose for the Java process to execute {{ @process.comm }}. {{#if service}}Contacting the owner of the {{service}} service may be necessary.{{/if}}
  • If this behavior is unexpected, attempt to contain the compromise.
  • Investigate application logs or traces to identify the cause of the execution.
  • Find and repair the root cause of the exploit. {{#is_exact_match “case_name” “confluence_server_spawned_shell_potential_rce”}}If a vulnerability in Confluence is the root cause, update the server to the latest version.{{/is_exact_match}}

Changelog

  • 26 September 2024 - Updated rule name and description

Requires Agent version 7.27 or later