Unsigned .node File Loaded
Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
Sigma rule (View on GitHub)
1title: Unsigned .node File Loaded
2id: e5f5c693-52d7-4de5-88ae-afbfbce85595
3status: experimental
4description: |
5 Detects the loading of unsigned .node files.
6 Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
7 .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
8 This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
9references:
10 - https://www.coreycburton.com/blog/driploader-case-study
11 - https://github.com/CoreyCBurton/DripLoaderNG
12 - https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
13author: Jonathan Beierle (@hullabrian)
14date: 2025-11-22
15tags:
16 - attack.execution
17 - attack.privilege-escalation
18 - attack.persistence
19 - attack.defense-evasion
20 - attack.t1129
21 - attack.t1574.001
22 - attack.t1036.005
23logsource:
24 category: image_load
25 product: windows
26detection:
27 selection_node_extension:
28 ImageLoaded|endswith: '.node'
29 selection_status:
30 - Signed: 'false'
31 - SignatureStatus: 'Unavailable'
32 filter_optional_vscode_jupyter:
33 Image|endswith: '\Code.exe'
34 ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
35 ImageLoaded|endswith:
36 - '\electron.napi.node'
37 - '\node.napi.glibc.node'
38 condition: all of selection_* and not 1 of filter_optional_*
39falsepositives:
40 - VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
41level: medium
References
-
-
Next Generation of DripLoader with Indirect Syscalls and .node Side-loading - CoreyCBurton/DripLoaderNG
Read More -
One of Electron's most powerful features is the ability to combine web technologies with native code - both for compute-intensive logic as well as for the occasional native user interface, where desired.
Read More
Related rules
- Tasks Folder Evasion
- Potentially Suspicious Child Process of KeyScrambler.exe
- Scheduled Task Creation Masquerading as System Processes
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Potential PlugX Activity