Linux Suspicious Child Process from Node.js - React2Shell

calendar Dec 10, 2025 · attack.execution attack.t1059 attack.initial-access attack.t1190 detection.emerging-threats cve.2025-55182  ·
Share on: linkedin copy

Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell). This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands. When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c ). For other methods, the Image field will show the spawned process directly.

Sigma rule (View on GitHub)

  1title: Linux Suspicious Child Process from Node.js - React2Shell
  2id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
  3related:
  4    - id: 271de298-cc0e-4842-acd8-079a0a99ea65
  5      type: similar
  6status: experimental
  7description: |
  8    Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
  9    This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
 10    When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
 11    For other methods, the Image field will show the spawned process directly.    
 12references:
 13    - https://github.com/msanft/CVE-2025-55182
 14    - https://nodejs.org/api/child_process.html#class-childprocess
 15    - https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
 16    - https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
 17author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
 18date: 2025-12-05
 19tags:
 20    - attack.execution
 21    - attack.t1059
 22    - attack.initial-access
 23    - attack.t1190
 24    - detection.emerging-threats
 25    - cve.2025-55182
 26logsource:
 27    category: process_creation
 28    product: linux
 29detection:
 30    selection_parent:
 31        ParentImage|endswith: '/node'
 32        ParentCommandLine|contains:
 33            - '--experimental-https'
 34            - '--experimental-next-config-strip-types'
 35            - '/node_modules/next'
 36            - 'next dev'
 37            - 'next start'
 38            - 'node_modules/.bin'
 39            - 'react-scripts start'
 40            - 'start-server.js'
 41    selection_generic_child_img:
 42        # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes in exploit
 43        - Image|endswith:
 44              - '/busybox'
 45              - '/cat'
 46              - '/curl'
 47              - '/dash'
 48              - '/dig'
 49              - '/head'
 50              - '/id'
 51              - '/ifconfig'
 52              - '/ip'
 53              - '/java'
 54              - '/less'
 55              - '/lua'
 56              - '/more'
 57              - '/nc'
 58              - '/ncat'
 59              - '/netcat'
 60              - '/netstat'
 61              - '/nslookup'
 62              - '/perl'
 63              - '/ping'
 64              - '/python'
 65              - '/python2'
 66              - '/ruby'
 67              - '/socat'
 68              - '/tail'
 69              - '/wget'
 70              - '/whoami'
 71        - Image|contains: '/python'
 72    selection_generic_child_cli:
 73        # Observed when child_process.execSync() is used to spawn suspicious processes
 74        # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
 75        # By default, the cli will look something like `/bin/sh -c .......`
 76        CommandLine|contains:
 77            - '/dev/tcp/'
 78            - '/dev/udp/'
 79            - '/etc/hosts'
 80            - '/etc/passwd'
 81            - '/etc/shadow'
 82            - 'base64'
 83            - 'cat '
 84            - 'curl'
 85            - 'dig'
 86            - 'ifconfig'
 87            - 'IO::Socket::INET'
 88            - 'java'
 89            - 'less '
 90            - 'lua'
 91            - 'mkfifo '
 92            - 'more'
 93            - 'nc '
 94            - 'ncat'
 95            - 'netcat'
 96            - 'netstat'
 97            - 'nslookup'
 98            - 'perl'
 99            - 'php'
100            - 'ping'
101            - 'ps -ef'
102            - 'ps aux'
103            - 'python'
104            - 'rcat'
105            - 'ruby'
106            - 'sh -i 2>&1'
107            - '-c id'
108            - 'socat'
109            - 'uname'
110            - 'wget'
111            - 'whoami'
112    selection_specific_sh:
113        Image|endswith: '/sh'
114    selection_specific_cli:
115        Image|endswith: '-c'
116    filter_main_default_shell_flag:
117        Image|endswith: '-c'
118    condition:
119        selection_parent and
120        (
121            1 of selection_generic_*
122            or
123            (selection_specific_sh and not filter_main_default_shell_flag)
124            or
125            (all of selection_specific_* and selection_generic_child_cli)
126        )
127falsepositives:
128    - Unknown
129level: high

References

Related rules

to-top