← Back to Explore
elasticmediumTTP
Java Dropped and Executed With DNS Lookup
Identifies a recently dropped or modified javaw.exe process started from a user-writable path to run a JAR or Java classpath application, followed by a DNS lookup. Adversaries may drop Java payloads into user directories and execute them immediately to establish command and control while evading application control focused on native Windows binaries.
Detection Query
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and
(process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and
(process.name : "javaw.exe" or process.pe.original_file_name == "javaw.exe") and process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and user.id != "S-1-5-18" and
(
(process.args_count == 3 and process.args : "-jar") or
(process.args_count == 4 and process.args : ("-cp", "-classpath") and process.command_line : " *.* ")
)]
[network where host.os.type == "windows" and event.action: "lookup_requested"]
Author
Elastic
Created
2026/06/21
Data Sources
Elastic Defendlogs-endpoint.events.process-*logs-endpoint.events.network-*
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: ExecutionTactic: Command and ControlData Source: Elastic DefendResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/06/21"
[rule]
author = ["Elastic"]
description = """
Identifies a recently dropped or modified javaw.exe process started from a user-writable path to run a JAR or Java
classpath application, followed by a DNS lookup. Adversaries may drop Java payloads into user directories and execute
them immediately to establish command and control while evading application control focused on native Windows
binaries.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
language = "eql"
license = "Elastic License v2"
name = "Java Dropped and Executed With DNS Lookup"
note = """## Triage and analysis
### Investigating Java Dropped and Executed With DNS Lookup
This rule correlates a recently created or modified `javaw.exe` launch from `Users`, `ProgramData`, or `Windows\\Temp` with an immediate
DNS lookup from the same process. Attackers often drop JAR-based payloads to user-writable locations and invoke them
with `-jar` or `-cp`/`-classpath` to blend in with legitimate Java usage while reaching out to command and control
infrastructure.
#### Possible investigation steps
- Review `process.executable`, `process.command_line`, and `process.args` to identify the JAR or classpath target and
whether the path is user-writable or unexpected for the host role.
- Inspect `process.Ext.relative_file_creation_time` and `process.Ext.relative_file_name_modify_time` to confirm the
binary or payload was staged immediately before execution.
- Examine the parent process tree for download, archive extraction, or script activity that may have dropped the JAR
or `javaw.exe`.
- Pivot on the DNS event for `dns.question.name`, `dns.resolved_ip`, and any follow-on connection attempts from the
same `process.entity_id`.
- Check code signature details for `javaw.exe` and any referenced JAR files when file telemetry is available.
- Hunt for the same JAR hash, command line, or queried domain on other hosts.
### False positive analysis
- Developer workflows, local Java applications, and enterprise tools may run freshly updated JARs from user profiles or
`ProgramData`. Validate the JAR path, signer, parent process, and queried domain against known software before
closing as benign.
- Some installers or updaters drop a private JRE under `ProgramData` and launch JAR utilities during setup. Confirm the
activity aligns with a known deployment or update window.
### Response and remediation
- Isolate the host if the JAR, domain, or parent activity appears malicious.
- Quarantine the dropped JAR, related Java runtime files, and any staging artifacts identified in the process tree.
- Block malicious domains or IPs at DNS and network enforcement points.
- Reset credentials for accounts active on the host during the suspicious session if follow-on activity is observed."""
risk_score = 47
rule_id = "80d7f4ef-c3b6-4466-80f4-805bdd10507d"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and
(process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) and
(process.name : "javaw.exe" or process.pe.original_file_name == "javaw.exe") and process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*") and user.id != "S-1-5-18" and
(
(process.args_count == 3 and process.args : "-jar") or
(process.args_count == 4 and process.args : ("-cp", "-classpath") and process.command_line : " *.* ")
)]
[network where host.os.type == "windows" and event.action: "lookup_requested"]
'''
[rule.investigation_fields]
field_names = [
"@timestamp",
"host.id",
"user.id",
"process.entity_id",
"process.executable",
"process.parent.executable"
]
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"
[[rule.threat.technique.subtechnique]]
id = "T1204.002"
name = "Malicious File"
reference = "https://attack.mitre.org/techniques/T1204/002/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"