Suspicious Java Execution from User-Writable Paths with DNS Lookup
This brief describes the detection of suspicious `javaw.exe` execution on Windows systems by adversaries leveraging recently dropped or modified Java payloads from user-writable directories (e.g., `Users`, `ProgramData`, `Windows\Temp`) to establish command and control via immediate DNS lookups, thereby evading application control mechanisms.
Adversaries are known to deploy malicious Java applications (JARs or classpath-based applications) to Windows systems, often by dropping them into user-writable locations such as user profiles, ProgramData, or the Windows\Temp directory. These applications are then executed using javaw.exe, typically with arguments like -jar or -cp (classpath). The threat identified involves such an execution immediately followed by an outbound DNS lookup, indicating an attempt to establish command and control (C2) infrastructure. This technique allows attackers to bypass application control mechanisms that primarily focus on native Windows executables, as javaw.exe itself is a legitimate binary. The timing is critical, focusing on javaw.exe processes that were recently created or modified, suggesting a staged payload.
Attack Chain
- Initial Access: (Unspecified by the detection rule, but assumed) An attacker gains initial access to a Windows system through various means (e.g., phishing, exploit of a vulnerable service, compromised credentials).
- Payload Staging: A malicious Java payload (e.g., a
.jarfile or a collection of Java classes) is dropped onto the compromised system into a user-writable directory likeC:\Users\<username>\AppData\Local\Temp,C:\ProgramData\, orC:\Windows\Temp\. - Execution from Suspicious Path: The attacker executes the
javaw.exeprocess from one of these user-writable locations. - Java Application Launch: The
javaw.exeprocess is launched with specific arguments, such as-jar malicious.jaror-cp <classpath> MainClass, to run the staged malicious Java application. - Command and Control (C2) Initiation: The malicious Java application immediately attempts to perform a DNS lookup, aiming to resolve the IP address of its command and control server.
- Establishing C2 Channel: Upon successful DNS resolution, the malicious application attempts to establish a communication channel with the C2 server to receive further commands or exfiltrate data.
- Impact (Further Compromise): The established C2 channel enables the attacker to perform further actions, including data exfiltration, deploying additional malware, or maintaining persistence.
Impact
Successful exploitation allows attackers to establish a covert command and control channel, giving them persistent access to the compromised system. This can lead to unauthorized data exfiltration, further malware deployment (e.g., ransomware, infostealers), lateral movement within the network, and full system compromise. The ability to execute malicious code via a legitimate Java runtime from user-writable locations makes this technique difficult to detect for organizations relying solely on traditional application whitelisting and can result in significant financial, reputational, and operational damage.
Recommendation
- Deploy the provided Sigma rule for "Suspicious Java Execution from User-Writable Paths" to your SIEM/EDR and tune it for your environment.
- Review
process.executable,process.command_line, andprocess.argsfor any alerts generated by the Sigma rule to identify the specific JAR or classpath targeted and its legitimacy. - Enable Sysmon process-creation and DNS query logging to correlate
javaw.exeprocesses with subsequent DNS lookups, mirroring the correlation logic described in the original detection rule. - Inspect parent processes of
javaw.exedetections to identify the initial delivery mechanism (e.g., archive extraction, script execution) that dropped the Java payload. - Investigate
dns.question.nameanddns.resolved_ipfor suspicious DNS queries originating fromjavaw.exeprocesses.
Detection coverage 1
Suspicious Java Execution from User-Writable Paths
mediumDetects javaw.exe executing JAR or Java classpath applications from user-writable paths like Users, ProgramData, or Windows\Temp, which is a common technique for adversaries to execute dropped Java payloads.
Detection queries are available on the platform. Get full rules →