Execution via Electron Child Process Node.js Module

  1[metadata]
  2creation_date = "2020/01/07"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to execute a child process from within the context of an Electron application using the
 11child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Execution via Electron Child Process Node.js Module"
 18references = [
 19    "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html",
 20    "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/",
 21    "https://nodejs.org/api/child_process.html",
 22]
 23risk_score = 47
 24rule_id = "35330ba2-c859-4c98-8b7f-c19159ea0e58"
 25setup = """## Setup
 26
 27This rule requires data coming in from Elastic Defend.
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49"""
 50severity = "medium"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: macOS",
 54    "Use Case: Threat Detection",
 55    "Tactic: Defense Evasion",
 56    "Tactic: Execution",
 57    "Data Source: Elastic Defend",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "eql"
 62
 63query = '''
 64process where host.os.type == "macos" and event.type in ("start", "process_started") and 
 65 process.args == "-e" and process.args : "const*require*child_process*"
 66'''
 67note = """## Triage and analysis
 68
 69> **Disclaimer**:
 70> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 71
 72### Investigating Execution via Electron Child Process Node.js Module
 73
 74Electron applications, built on Node.js, can execute child processes using the `child_process` module, inheriting parent process permissions. Adversaries exploit this to execute unauthorized commands, bypassing security controls. The detection rule identifies suspicious process starts on macOS, focusing on command-line arguments indicative of such abuse, aiding in threat detection and mitigation.
 75
 76### Possible investigation steps
 77
 78- Review the process arguments captured in the alert to confirm the presence of suspicious patterns, such as the use of "-e" and the inclusion of "require('child_process')".
 79- Identify the parent Electron application process to determine if it is a legitimate application or potentially malicious.
 80- Check the user account associated with the process to assess if it has elevated privileges that could be exploited.
 81- Investigate the command executed by the child process to understand its purpose and potential impact on the system.
 82- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns.
 83- Examine the network activity of the host around the time of the alert to detect any unauthorized data exfiltration or communication with known malicious IPs.
 84
 85### False positive analysis
 86
 87- Legitimate Electron applications may use the child_process module for valid operations, such as launching helper scripts or tools. Users should identify and whitelist these known applications to prevent unnecessary alerts.
 88- Development environments often execute scripts using child_process during testing or debugging. Exclude processes originating from development directories or environments to reduce false positives.
 89- Automated build or deployment tools running on macOS might invoke child processes as part of their workflow. Recognize and exclude these tools by their process names or paths.
 90- Some Electron-based applications might use command-line arguments that match the detection pattern for legitimate reasons. Review and adjust the detection rule to exclude these specific argument patterns when associated with trusted applications.
 91- Regularly review and update the exclusion list to accommodate new legitimate use cases as they arise, ensuring that the detection rule remains effective without generating excessive false positives.
 92
 93### Response and remediation
 94
 95- Immediately isolate the affected macOS system from the network to prevent further unauthorized command execution and potential lateral movement.
 96- Terminate any suspicious child processes identified as being spawned by the Electron application to halt any ongoing malicious activity.
 97- Conduct a thorough review of the Electron application's code and configuration to identify and remove any unauthorized or malicious scripts or modules, particularly those involving the `child_process` module.
 98- Revoke and reset any credentials or tokens that may have been exposed or compromised due to the unauthorized execution, ensuring that new credentials are distributed securely.
 99- Apply security patches and updates to the Electron application and underlying Node.js environment to mitigate any known vulnerabilities that could be exploited in a similar manner.
100- Enhance monitoring and logging on the affected system and similar environments to detect any future attempts to exploit the `child_process` module, focusing on command-line arguments and process creation events.
101- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been impacted, ensuring a comprehensive response to the threat."""
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1059"
108name = "Command and Scripting Interpreter"
109reference = "https://attack.mitre.org/techniques/T1059/"
110
111
112[rule.threat.tactic]
113id = "TA0002"
114name = "Execution"
115reference = "https://attack.mitre.org/tactics/TA0002/"
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1548"
120name = "Abuse Elevation Control Mechanism"
121reference = "https://attack.mitre.org/techniques/T1548/"
122
123
124[rule.threat.tactic]
125id = "TA0005"
126name = "Defense Evasion"
127reference = "https://attack.mitre.org/tactics/TA0005/"