← Back to SOC feed Coverage →

Suspicious SysAidServer Child

sigma MEDIUM SigmaHQ
T1210
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-10T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

Detection Rule

Sigma (Original)

title: Suspicious SysAidServer Child
id: 60bfeac3-0d35-4302-8efb-1dd16f715bc6
status: test
description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
references:
    - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
tags:
    - attack.lateral-movement
    - attack.t1210
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentCommandLine|contains: 'SysAidServer'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\java.exe" or ParentProcessName endswith "\\javaw.exe") or (ActingProcessName endswith "\\java.exe" or ActingProcessName endswith "\\javaw.exe")) and ActingProcessCommandLine contains "SysAidServer"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml