Potential RCE Exploitation Attempt In NodeJS
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
Sigma rule (View on GitHub)
1title: Potential RCE Exploitation Attempt In NodeJS
2id: 97661d9d-2beb-4630-b423-68985291a8af
3status: test
4description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
5references:
6 - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
7author: Moti Harmats
8date: 2023-02-11
9tags:
10 - attack.initial-access
11 - attack.t1190
12logsource:
13 category: application
14 product: nodejs
15 definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
16detection:
17 keywords:
18 - 'node:child_process'
19 condition: keywords
20falsepositives:
21 - Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
22level: high
References
-
IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations