Java Dropped and Executed With DNS Lookup

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Java Dropped and Executed With DNS Lookup

Identifies a recently dropped or modified javaw.exe process started from a user-writable path to run a JAR or Java classpath application, followed by a DNS lookup. Adversaries may drop Java payloads into user directories and execute them immediately to establish command and control while evading application control focused on native Windows binaries.

Rule type: eql

Rule indices:

logs-endpoint.events.process-*
logs-endpoint.events.network-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Command and Control
Data Source: Elastic Defend
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Java Dropped and Executed With DNS Lookup

This rule correlates a recently created or modified javaw.exe launch from Users, ProgramData, or Windows\Temp with an immediate DNS lookup from the same process. Attackers often drop JAR-based payloads to user-writable locations and invoke them with -jar or -cp/-classpath to blend in with legitimate Java usage while reaching out to command and control infrastructure.

Possible investigation steps

Review process.executable, process.command_line, and process.args to identify the JAR or classpath target and whether the path is user-writable or unexpected for the host role.
Inspect process.Ext.relative_file_creation_time and process.Ext.relative_file_name_modify_time to confirm the binary or payload was staged immediately before execution.
Examine the parent process tree for download, archive extraction, or script activity that may have dropped the JAR or javaw.exe.
Pivot on the DNS event for dns.question.name, dns.resolved_ip, and any follow-on connection attempts from the same process.entity_id.
Check code signature details for javaw.exe and any referenced JAR files when file telemetry is available.
Hunt for the same JAR hash, command line, or queried domain on other hosts.

False positive analysis

Developer workflows, local Java applications, and enterprise tools may run freshly updated JARs from user profiles or ProgramData. Validate the JAR path, signer, parent process, and queried domain against known software before closing as benign.
Some installers or updaters drop a private JRE under ProgramData and launch JAR utilities during setup. Confirm the activity aligns with a known deployment or update window.

Response and remediation

Isolate the host if the JAR, domain, or parent activity appears malicious.
Quarantine the dropped JAR, related Java runtime files, and any staging artifacts identified in the process tree.
Block malicious domains or IPs at DNS and network enforcement points.
Reset credentials for accounts active on the host during the suspicious session if follow-on activity is observed.

Rule query

edit

sequence by process.entity_id with maxspan=1m
 [process where host.os.type == "windows" and event.action == "start" and
  (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and
  (process.name : "javaw.exe" or process.pe.original_file_name == "javaw.exe") and process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and user.id != "S-1-5-18" and
  (
   (process.args_count == 3 and process.args : "-jar") or
   (process.args_count == 4 and process.args : ("-cp", "-classpath") and process.command_line : " *.* ")
  )]
 [network where host.os.type == "windows" and event.action: "lookup_requested"]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: User Execution
- ID: T1204
- Reference URL: https://attack.mitre.org/techniques/T1204/
Sub-technique:
- Name: Malicious File
- ID: T1204.002
- Reference URL: https://attack.mitre.org/techniques/T1204/002/
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/

« Potential Masquerading as System32 DLL Potential Data Exfiltration Through Curl »