« Suspicious SolarWinds Child Process Suspicious Startup Shell Folder Modification »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

edit

Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL) or spawning a suspicious child process such as cmd, PowerShell, or rundll32. This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution.

Rule type: eql

Rule indices:

  • logs-endpoint.events.library-*
  • logs-endpoint.events.process-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Initial Access
  • Use Case: Vulnerability
  • Data Source: Elastic Defend
  • Resources: Investigation Guide

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Possible investigation steps

  • Which path fired, and what alert-local evidence defines it?
  • Why: The single-event branch decides whether DLL fields or child-process fields carry the decisive evidence.
  • Focus: event.category, Java path in process.executable or process.parent.executable, dll.path, and child process.command_line.
  • Hint: record process.entity_id for library alerts and process.parent.entity_id for child-process alerts before later pivots.
  • Implication: Escalate quickly for Web Help Desk Java loading remote or untrusted native code, or spawning "cmd.exe", "powershell.exe", or "rundll32.exe" with payload behavior. Lower concern only when the exact branch maps to a recognized local extension, authorized validation, or vendor support action and process or DLL evidence stays consistent.
  • Does the Java-side identity match the expected Web Help Desk service instance?
  • Focus: Java path from step 1 and Java command line: process.command_line for library alerts or process.parent.command_line for child-process alerts.
  • Implication: Escalate when the Java path falls outside the WebHelpDesk install tree or the service command line is abnormal for the deployed server. Identity lowers suspicion only when exact Java path and service context match the installed server; it does not clear a remote DLL load or shell child.
  • For the DLL-load path, does the module look like a remote SQLite-extension payload or unsupported native component?
  • Why: Malicious SQLite-extension style native loading makes DLL path and trust state the strongest branch evidence.
  • Focus: dll.path, dll.hash.sha256, dll.code_signature.exists, dll.code_signature.trusted, and dll.code_signature.subject_name.
  • Implication: Escalate when dll.path shows "\Device\Mup\", a UNC-style share, temp or unrelated writable path, unsigned or untrusted module, or signer unrelated to Web Help Desk or its controlled extension set. Lower concern only when the module is local to the Web Help Desk or JDBC layout and has a recognized hash or signer.
  • For the child-process path, does the Java-spawned child show post-exploitation intent?
  • Focus: process.name, process.command_line, and process.parent.command_line.
  • Implication: Escalate when the command line decodes or stages payloads, loads DLLs, launches scripts, performs discovery, or changes persistence. Lower concern only for exact recognized validation or vendor-support command on this server with no contradictory DLL evidence.
  • Did the same Web Help Desk Java instance produce more DLL loads or suspicious children around the alert?
  • Focus: process and library events scoped by host.id plus Java-side process.entity_id or process.parent.entity_id; review process.command_line, dll.path, and dll.hash.sha256. !{investigate{"description":"","label":"Process and DLL activity tied to the Web Help Desk Java instance","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"library","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.parent.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"library","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.parent.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Implication: Escalate when the same Java instance loads multiple remote or untrusted DLLs, starts multiple shell or loader children, or shows child execution after a suspicious DLL load. No surrounding process or library events narrows scope, but does not clear the original alert.
  • If local evidence remains suspicious or unresolved, are there related exploit or post-exploitation alerts on this server?
  • Focus: related alerts on host.id, especially Web Help Desk exploitation, suspicious Java children, DLL loads, persistence, or credential access. !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Implication: Expand scope when related alerts align with the same Java process, DLL hash, or child command pattern. Keep the case local when related-alert review is clean, but do not use alert isolation alone to close.
  • Escalate on remote or untrusted DLL loading, malicious child execution, or same-Java corroboration; close only when branch evidence tightly matches a recognized local extension, authorized validation, or vendor support action on this host with no contradictory process or DLL evidence; if visibility or authorization is incomplete, preserve evidence and escalate.

False positive analysis

  • Local native extension, JDBC, or vendor-support testing can explain the DLL path only when the module stays local to the Web Help Desk or controlled plugin layout; dll.hash.sha256, dll.code_signature.subject_name, and dll.code_signature.trusted match the expected component; Java identity matches the installed server; and no Java-spawned shell or loader appears. Without support or change records, require telemetry-only alignment across host.id, Java process.executable or process.parent.executable, dll.path, and dll.hash.sha256; otherwise treat as unresolved.
  • Java-spawned "cmd.exe", "powershell.exe", or "rundll32.exe" is a Web Help Desk operational anti-pattern. Close only for authorized validation or vendor support where process.name, process.command_line, process.parent.executable, and host.id match that exact activity and no remote or untrusted DLL evidence appears. Without exact support or validation context, treat the branch as suspicious.
  • Before creating an exception, validate stable benign behavior for the exact workflow and host. For DLL loads, anchor on Java identity, dll.path, dll.hash.sha256, dll.code_signature.subject_name, and host.id; for child processes, anchor on Java parent identity, exact process.command_line, and host.id. Avoid exceptions on "java.exe", the WebHelpDesk path prefix, a DLL directory prefix, or the server alone.

Response and remediation

  • If confirmed benign, reverse temporary containment and document the Java identity, DLL hash/path or child command line, host.id, and support, validation, or extension evidence that proved the workflow. Create an exception only from the narrow branch-specific anchors that proved that workflow.
  • If suspicious but unconfirmed, preserve the alert export, process tree, Java and child command lines, loaded DLL file, DLL hash/signature, and any "\Device\Mup\" share path before containment. Apply reversible containment first, such as restricting Web Help Desk exposure or blocking the observed remote share path, and escalate to endpoint isolation only when DLL or child-process evidence suggests active payload execution.
  • If confirmed malicious, preserve process, DLL, and case artifacts before destructive action. Isolate the endpoint when the Java process is executing payloads or reaching remote native-code staging, block the malicious share path or DLL hash, collect the loaded DLL and relevant process evidence before termination, then remove only the payloads, persistence items, and service changes identified during the investigation.
  • Remediate the entry vector by upgrading or patching Web Help Desk to the vendor-fixed release, confirming the exposed service is no longer vulnerable, and reviewing whether public access, outbound SMB from the server, or native-extension/plugin controls need tighter restrictions.
  • Post-incident hardening: retain the process and library telemetry that proved the case, document remote SQLite-extension loading or Java-spawned shell activity for future triage, and record any authorized validation or support exception with its exact branch-specific anchors.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Rule query

edit
any where host.os.type == "windows" and
(
 (event.category == "library" and
  process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe") and
  (dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or

 (event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
  process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
)

Framework: MITRE ATT&CKTM

« Suspicious SolarWinds Child Process Suspicious Startup Shell Folder Modification »