Shell Spawned by Java Application
No violationsstackroxhighruntimeDetects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application
- Rationale
- Java application launching a shell can be an indicator of remote code execution
- Remediation
- Determine whether this is intended behavior of the application or an indication of malicious activity
CategoriesSystem Modification
Compliance mappingsView coverage →
- NIST SP 800-53 rev. 5
- SI-4
Generated artifacts
1 of 5 targets supportedshell-spawned-by-java-application.yaml
- rule: shell-spawned-by-java-application
desc: Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application
condition: proc.name in ("(/[s]*bin/){0,1}(ba|c|z){0,1}sh") and proc.aname in (".*java")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Shell Spawned by Java Application)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "0501ac8b-5869-4e1e-b360-84dbf01f2c6c",
"name": "Shell Spawned by Java Application",
"description": "Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application",
"rationale": "Java application launching a shell can be an indicator of remote code execution",
"remediation": "Determine whether this is intended behavior of the application or an indication of malicious activity",
"severity": "high",
"categories": [
"System Modification"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "process-name",
"values": [
"(/[s]*bin/){0,1}(ba|c|z){0,1}sh"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "process-ancestor",
"values": [
".*java"
],
"valuesOp": "or",
"negate": false
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "0501ac8b-5869-4e1e-b360-84dbf01f2c6c",
"name": "Shell Spawned by Java Application",
"description": "Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application",
"rationale": "Java application launching a shell can be an indicator of remote code execution",
"remediation": "Determine whether this is intended behavior of the application or an indication of malicious activity",
"disabled": false,
"categories": [
"System Modification"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "(/[s]*bin/){0,1}(ba|c|z){0,1}sh"
}
]
},
{
"fieldName": "Process Ancestor",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": ".*java"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0002",
"techniques": [
"T1059.004"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}