Back to catalog

Shell Spawned by Java Application

No violationsstackroxhighruntime

Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application

Rationale
Java application launching a shell can be an indicator of remote code execution
Remediation
Determine whether this is intended behavior of the application or an indication of malicious activity
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
shell-spawned-by-java-application.yaml
- rule: shell-spawned-by-java-application
  desc: Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application
  condition: proc.name in ("(/[s]*bin/){0,1}(ba|c|z){0,1}sh") and proc.aname in (".*java")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Shell Spawned by Java Application)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "0501ac8b-5869-4e1e-b360-84dbf01f2c6c",
  "name": "Shell Spawned by Java Application",
  "description": "Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application",
  "rationale": "Java application launching a shell can be an indicator of remote code execution",
  "remediation": "Determine whether this is intended behavior of the application or an indication of malicious activity",
  "severity": "high",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "process-name",
        "values": [
          "(/[s]*bin/){0,1}(ba|c|z){0,1}sh"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "process-ancestor",
        "values": [
          ".*java"
        ],
        "valuesOp": "or",
        "negate": false
      }
    ]
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "0501ac8b-5869-4e1e-b360-84dbf01f2c6c",
  "name": "Shell Spawned by Java Application",
  "description": "Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application",
  "rationale": "Java application launching a shell can be an indicator of remote code execution",
  "remediation": "Determine whether this is intended behavior of the application or an indication of malicious activity",
  "disabled": false,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "(/[s]*bin/){0,1}(ba|c|z){0,1}sh"
            }
          ]
        },
        {
          "fieldName": "Process Ancestor",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ".*java"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0002",
      "techniques": [
        "T1059.004"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}