Windows Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell). Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync(). If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked. For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
Sigma rule (View on GitHub)
1title: Windows Suspicious Child Process from Node.js - React2Shell
2id: 271de298-cc0e-4842-acd8-079a0a99ea65
3related:
4 - id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
5 type: similar
6status: experimental
7description: |
8 Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
9 Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
10 If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
11 For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
12references:
13 - https://github.com/msanft/CVE-2025-55182
14 - https://nodejs.org/api/child_process.html#class-childprocess
15 - https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
16 - https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
17author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
18date: 2025-12-05
19tags:
20 - attack.execution
21 - attack.t1059
22 - attack.initial-access
23 - attack.t1190
24 - detection.emerging-threats
25 - cve.2025-55182
26logsource:
27 category: process_creation
28 product: windows
29detection:
30 selection_parent:
31 ParentImage|endswith: '\node.exe'
32 ParentCommandLine|contains:
33 - '--experimental-https'
34 - '--experimental-next-config-strip-types'
35 - '\node_modules\next'
36 - 'next dev'
37 - 'next start'
38 - 'next" start'
39 - 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion
40 - 'react-scripts start'
41 - 'start-server.js'
42 selection_generic_child_img:
43 # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes
44 - Image|endswith:
45 - '\bash.exe'
46 - '\bitsadmin.exe'
47 - '\certutil.exe'
48 - '\cscript.exe'
49 - '\curl.exe'
50 - '\ipconfig.exe'
51 - '\mshta.exe'
52 - '\net.exe'
53 - '\net1.exe'
54 - '\netsh.exe'
55 - '\nslookup.exe'
56 - '\OpenConsole.exe'
57 - '\perl.exe'
58 - '\ping.exe'
59 - '\powershell.exe'
60 - '\pwsh.exe'
61 - '\py.exe'
62 - '\python.exe'
63 - '\pythonw.exe'
64 - '\pyw.exe'
65 - '\reg.exe'
66 - '\regsvr32.exe'
67 - '\rundll32.exe'
68 - '\sc.exe'
69 - '\sh.exe'
70 - '\systeminfo.exe'
71 - '\wget.exe'
72 - '\whoami.exe'
73 - '\wmic.exe'
74 - '\wscript.exe'
75 - '\wt.exe'
76 - Image|contains: '\python'
77 selection_generic_child_cli_susp_pattern:
78 # Observed when child_process.execSync() is used to spawn suspicious processes
79 # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
80 # In default, the cli will look something like `C:\WINDOWS\System32\cmd.exe /d /s /c "...susp..cli...."`
81 CommandLine|contains:
82 - '\net'
83 - 'bitsadmin'
84 - 'certutil '
85 - 'conhost --headless'
86 - 'cscript '
87 - 'curl'
88 - 'ipconfig'
89 - 'java'
90 - 'lua'
91 - 'mshta'
92 - 'netsh'
93 - 'nslookup '
94 - 'perl'
95 - 'ping '
96 - 'powershell'
97 - 'pwsh'
98 - 'python'
99 - 'reg '
100 - 'reg.exe'
101 - 'regsvr32'
102 - 'ruby'
103 - 'rundll32'
104 - 'sc.exe'
105 - 'systeminfo'
106 - 'wget'
107 - 'whoami'
108 - 'wmic'
109 - 'wscript'
110 selection_specific_cmd:
111 Image|endswith: '\cmd.exe'
112 selection_specific_cli:
113 CommandLine|contains: '/d /s /c '
114 filter_main_default_shell_flag:
115 CommandLine|contains: '/d /s /c '
116 filter_main_cli_git:
117 CommandLine|contains: 'git config --local --get remote.origin.url'
118 filter_main_cli_netstat:
119 CommandLine|contains|all:
120 - 'netstat -ano | findstr /C:'
121 - ' | findstr LISTENING'
122 filter_main_cli_mkcert_install:
123 CommandLine|contains|all:
124 - '\mkcert\'
125 - ' -install '
126 filter_main_cli_mkcert_caroot:
127 CommandLine|contains|all:
128 - '\mkcert\'
129 - ' -CAROOT'
130 condition:
131 selection_parent and
132 (
133 1 of selection_generic_*
134 or
135 (selection_specific_cmd and not filter_main_default_shell_flag)
136 or
137 (all of selection_specific_* and not 1 of filter_main_cli_*)
138 )
139falsepositives:
140 - Unknown
141level: high
142regression_tests_path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml
References
-
Explanation and full RCE PoC for CVE-2025-55182. Contribute to msanft/CVE-2025-55182 development by creating an account on GitHub.
Read More -
The node:child_process module provides the ability to spawn subprocesses in a manner that is similar, but not identical, to popen(3). This capability is primarily provided by the child_process.spaw...
Read More -
-
Related rules
- Linux Suspicious Child Process from Node.js - React2Shell
- Atlassian Confluence CVE-2022-26134
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt