EXPLORE
← Back to Explore
elasticmediumTTP

Java Dropped and Executed With DNS Lookup

Identifies a recently dropped or modified javaw.exe process started from a user-writable path to run a JAR or Java classpath application, followed by a DNS lookup. Adversaries may drop Java payloads into user directories and execute them immediately to establish command and control while evading application control focused on native Windows binaries.

MITRE ATT&CK

executioncommand-and-control

Detection Query

sequence by process.entity_id with maxspan=1m
 [process where host.os.type == "windows" and event.action == "start" and
  (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and
  (process.name : "javaw.exe" or process.pe.original_file_name == "javaw.exe") and process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and user.id != "S-1-5-18" and
  (
   (process.args_count == 3 and process.args : "-jar") or
   (process.args_count == 4 and process.args : ("-cp", "-classpath") and process.command_line : " *.* ")
  )]
 [network where host.os.type == "windows" and event.action: "lookup_requested"]

Author

Elastic

Created

2026/06/21

Data Sources

Elastic Defendlogs-endpoint.events.process-*logs-endpoint.events.network-*

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: ExecutionTactic: Command and ControlData Source: Elastic DefendResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/06/21"

[rule]
author = ["Elastic"]
description = """
Identifies a recently dropped or modified javaw.exe process started from a user-writable path to run a JAR or Java
classpath application, followed by a DNS lookup. Adversaries may drop Java payloads into user directories and execute
them immediately to establish command and control while evading application control focused on native Windows
binaries.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
language = "eql"
license = "Elastic License v2"
name = "Java Dropped and Executed With DNS Lookup"
note = """## Triage and analysis

### Investigating Java Dropped and Executed With DNS Lookup

This rule correlates a recently created or modified `javaw.exe` launch from `Users`, `ProgramData`, or `Windows\\Temp` with an immediate
DNS lookup from the same process. Attackers often drop JAR-based payloads to user-writable locations and invoke them
with `-jar` or `-cp`/`-classpath` to blend in with legitimate Java usage while reaching out to command and control
infrastructure.

#### Possible investigation steps

- Review `process.executable`, `process.command_line`, and `process.args` to identify the JAR or classpath target and
  whether the path is user-writable or unexpected for the host role.
- Inspect `process.Ext.relative_file_creation_time` and `process.Ext.relative_file_name_modify_time` to confirm the
  binary or payload was staged immediately before execution.
- Examine the parent process tree for download, archive extraction, or script activity that may have dropped the JAR
  or `javaw.exe`.
- Pivot on the DNS event for `dns.question.name`, `dns.resolved_ip`, and any follow-on connection attempts from the
  same `process.entity_id`.
- Check code signature details for `javaw.exe` and any referenced JAR files when file telemetry is available.
- Hunt for the same JAR hash, command line, or queried domain on other hosts.

### False positive analysis

- Developer workflows, local Java applications, and enterprise tools may run freshly updated JARs from user profiles or
  `ProgramData`. Validate the JAR path, signer, parent process, and queried domain against known software before
  closing as benign.
- Some installers or updaters drop a private JRE under `ProgramData` and launch JAR utilities during setup. Confirm the
  activity aligns with a known deployment or update window.

### Response and remediation

- Isolate the host if the JAR, domain, or parent activity appears malicious.
- Quarantine the dropped JAR, related Java runtime files, and any staging artifacts identified in the process tree.
- Block malicious domains or IPs at DNS and network enforcement points.
- Reset credentials for accounts active on the host during the suspicious session if follow-on activity is observed."""
risk_score = 47
rule_id = "80d7f4ef-c3b6-4466-80f4-805bdd10507d"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Tactic: Command and Control",
    "Data Source: Elastic Defend",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence by process.entity_id with maxspan=1m
 [process where host.os.type == "windows" and event.action == "start" and
  (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and
  (process.name : "javaw.exe" or process.pe.original_file_name == "javaw.exe") and process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and user.id != "S-1-5-18" and
  (
   (process.args_count == 3 and process.args : "-jar") or
   (process.args_count == 4 and process.args : ("-cp", "-classpath") and process.command_line : " *.* ")
  )]
 [network where host.os.type == "windows" and event.action: "lookup_requested"]
'''


[rule.investigation_fields]
field_names = [
    "@timestamp",
    "host.id",
    "user.id",
    "process.entity_id",
    "process.executable",
    "process.parent.executable"
]

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"

[[rule.threat.technique.subtechnique]]
id = "T1204.002"
name = "Malicious File"
reference = "https://attack.mitre.org/techniques/T1204/002/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"

[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"