Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
Sigma rule (View on GitHub)
1title: Potential Arbitrary Code Execution Via Node.EXE
2id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
3status: test
4description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
5references:
6 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
7 - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
8 - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
9 - https://nodejs.org/api/cli.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-09
12modified: 2023-02-03
13tags:
14 - attack.execution
15 - attack.stealth
16 - attack.t1127
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_main:
22 Image|endswith: '\node.exe'
23 CommandLine|contains:
24 - ' -e '
25 - ' --eval '
26 # Add more pattern of abuse as actions
27 selection_action_reverse_shell:
28 CommandLine|contains|all:
29 - '.exec('
30 - 'net.socket'
31 - '.connect'
32 - 'child_process'
33 condition: selection_main and 1 of selection_action_*
34falsepositives:
35 - Unlikely
36level: high
References
Related rules
- AspNetCompiler Execution
- C# IL Code Compilation Via Ilasm.EXE
- Detection of PowerShell Execution via Sqlps.exe
- JScript Compiler Execution
- Kavremover Dropped Binary LOLBIN Usage