Potential Arbitrary Code Execution Via Node.EXE

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Sigma rule (View on GitHub)

 1title: Potential Arbitrary Code Execution Via Node.EXE
 2id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
 3status: test
 4description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
 5references:
 6    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 7    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
 8    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
 9    - https://nodejs.org/api/cli.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/09/09
12modified: 2023/02/03
13tags:
14    - attack.defense_evasion
15    - attack.t1127
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_main:
21        Image|endswith: '\node.exe'
22        CommandLine|contains:
23            - ' -e '
24            - ' --eval '
25    # Add more pattern of abuse as actions
26    selection_action_reverse_shell:
27        CommandLine|contains|all:
28            - '.exec('
29            - 'net.socket'
30            - '.connect'
31            - 'child_process'
32    condition: selection_main and 1 of selection_action_*
33falsepositives:
34    - Unlikely
35level: high

References

Related rules

to-top