Suspicious React Server Child Process

  1[metadata]
  2creation_date = "2025/12/04"
  3integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/12/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects suspicious child process activity from a React server application. This could be related to successful
 11exploitation of CVE-2025-55182 or CVE-2025-66478. These vulnerabilities allow attackers to execute remote code due to
 12insecure deserialization of React Server Components (RSC) Flight payloads, leading to unauthenticated RCE on servers
 13running React 19.x or Next.js 14.3.0-canary+, 15.x, and 16.x with the App Router enabled
 14"""
 15from = "now-9m"
 16index = [
 17    "auditbeat-*",
 18    "logs-auditd_manager.auditd-*",
 19    "logs-endpoint.events.process*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-windows.sysmon_operational-*"
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Suspicious React Server Child Process"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Suspicious React Server Child Process
 32
 33This rule flags suspicious shell or system utility processes spawned by a React or Next.js server application—clear evidence of CVE-2025-55182 or CVE-2025-66478 exploitation enabling arbitrary code execution. An attacker sends a specially crafted RSC Flight protocol payload to a vulnerable Next.js or React Server Components endpoint, causing the server to deserialize untrusted data and execute attacker-controlled JavaScript, which then spawns shell commands or system utilities to establish initial access and persistence.
 34
 35### Possible investigation steps
 36
 37- Extract the parent Node.js process command line and working directory to identify the React or Next.js application, then check package.json or package-lock.json for React version (19.0-19.2) and Next.js version (14.3.0-canary, 15.x, 16.x) to confirm vulnerability.
 38- Review web server access logs (Nginx, Apache, ALB) for suspicious POST requests to RSC endpoints (/_next/data/, /.next/, /api/) in the minutes before the shell spawn, focusing on requests with unusual Content-Type headers (text/x-component, application/rsc) or large payload sizes.
 39- Analyze the spawned child process command line, arguments, working directory, and any downloaded files or scripts to identify the payload type (reverse shell, data exfiltration, credential theft, persistence mechanism) and compute file hashes for threat intelligence correlation.
 40- Pivot on the source IP address from web logs across other hosts and applications to identify additional compromised servers, and check for lateral movement attempts or scanning activity from the compromised host to internal networks.
 41- Examine the host for post-exploitation artifacts including new cron jobs, modified .bashrc/.profile files, SSH authorized_keys additions, new user accounts, unusual network connections to external IPs, files in /tmp or /var/tmp directories, and container escape attempts (nsenter, docker socket access).
 42
 43### False positive analysis
 44
 45- Legitimate build or deployment scripts triggered by CI/CD pipelines may cause Next.js build workers (jest-worker/processChild.js) to spawn shell commands; filter these by excluding processes with --node-ipc flags or running in /builds/, /workspace/, or other CI directories.
 46- Development servers (next dev, expo start, react-scripts start) running on developer workstations may spawn legitimate shells for tooling; consider excluding NODE_ENV=development or processes running from user home directories if appropriate for your environment.
 47- Server-side rendering (SSR) frameworks may legitimately invoke system utilities for image processing, PDF generation, or other server-side tasks; maintain an allowlist of expected child processes and their arguments for known applications.
 48
 49### Response and remediation
 50
 51- Immediately isolate the affected host to prevent lateral movement, terminate the Node.js parent process and all child processes spawned from the React/Next.js server, and block the source IP address at the firewall and WAF level.
 52- Remove any persistence mechanisms installed by the attacker including cron jobs (check crontab -l for all users), modified shell initialization files (~/.bashrc, ~/.profile, /etc/profile.d/), SSH keys in ~/.ssh/authorized_keys, and systemd timers or service units.
 53- Rotate all credentials and secrets accessible to the compromised application including database passwords, API keys, cloud service credentials (AWS/Azure/GCP), and session tokens, assuming they may have been exfiltrated.
 54- Collect forensic artifacts including memory dumps of the Node.js process (if still running), packet captures of the malicious HTTP request, web server access and error logs, application logs from the React/Next.js server, and copies of any files created in /tmp, /var/tmp, or the application directory.
 55- Escalate to incident command if the attacker achieved container escape (nsenter usage detected), accessed sensitive data or credentials, established C2 communication to external infrastructure, or if multiple hosts show similar exploitation patterns from the same source.
 56- Patch immediately by upgrading React to version 19.0.1+, 19.1.2+, or 19.2.1+, and Next.js to versions 14.3.0-canary.88+, 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, or 16.0.7+ depending on your major version, and deploy WAF rules to block malformed RSC payloads at the application edge.
 57"""
 58references = [
 59  "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182"
 60]
 61risk_score = 73
 62rule_id = "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b"
 63severity = "high"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Linux",
 67    "OS: macOS",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Initial Access",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Auditd Manager",
 73    "Data Source: SentinelOne",
 74    "Data Source: Sysmon",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79query = '''
 80process where event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
 81process.name in ("sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe") and
 82(
 83 ?process.working_directory : ("*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
 84 
 85 (process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
 86  process.parent.command_line : ("*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"))
 87 )
 88'''
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92
 93[[rule.threat.technique]]
 94id = "T1190"
 95name = "Exploit Public-Facing Application"
 96reference = "https://attack.mitre.org/techniques/T1190/"
 97
 98[rule.threat.tactic]
 99id = "TA0001"
100name = "Initial Access"
101reference = "https://attack.mitre.org/tactics/TA0001/"