← Back to SOC feed Coverage →

Suspicious Shells Spawn by Java Utility Keytool

sigma HIGH SigmaHQ
imProcessCreate
exploit
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-10T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Detection Rule

Sigma (Original)

title: Suspicious Shells Spawn by Java Utility Keytool
id: 90fb5e62-ca1f-4e22-b42e-cc521874c938
status: test
description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
references:
    - https://redcanary.com/blog/intelligence-insights-december-2021
    - https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
author: Andreas Hunkeler (@Karneades)
date: 2021-12-22
modified: 2023-01-21
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\keytool.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\schtasks.exe'
            - '\certutil.exe'
            - '\whoami.exe'
            - '\bitsadmin.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\scrcons.exe'
            - '\regsvr32.exe'
            - '\hh.exe'
            - '\wmic.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\forfiles.exe'
            - '\scriptrunner.exe'
            - '\mftrace.exe'
            - '\AppVLP.exe'
            - '\systeminfo.exe'
            - '\reg.exe'
            - '\query.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\keytool.exe" or ActingProcessName endswith "\\keytool.exe") and (TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\whoami.exe" or TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\scrcons.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\hh.exe" or TargetProcessName endswith "\\wmic.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\forfiles.exe" or TargetProcessName endswith "\\scriptrunner.exe" or TargetProcessName endswith "\\mftrace.exe" or TargetProcessName endswith "\\AppVLP.exe" or TargetProcessName endswith "\\systeminfo.exe" or TargetProcessName endswith "\\reg.exe" or TargetProcessName endswith "\\query.exe")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml