rules/windows/sysmon/vul_java_remote_debugging.yml

title: Java running with Remote Debugging
description: 
reference: 
detection:
    selection:
        - EventLog: Microsoft-Windows-Sysmon/Operational
        - EventID: 1
        - CommandLine: '*transport=dt_socket,address=*'
    exclusion:
        - CommandLine: '*address=127.0.0.1*'
        - CommandLine: '*address=localhost*'
    condition: selection and not exclusion
falsepositives:
    - unknown
level: 30
Rew rule examples: RC4 Kerberos, JAVA remote debugging process 2017-02-06 20:03:42 +01:00			`title: Java running with Remote Debugging`
			`description:`
			`reference:`
			`detection:`
			`selection:`
			`- EventLog: Microsoft-Windows-Sysmon/Operational`
			`- EventID: 1`
			`- CommandLine: 'transport=dt_socket,address='`
			`exclusion:`
			`- CommandLine: 'address=127.0.0.1'`
			`- CommandLine: 'address=localhost'`
			`condition: selection and not exclusion`
			`falsepositives:`
			`- unknown`
			`level: 30`