Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
Sigma rule (View on GitHub)
1title: Potential Arbitrary Code Execution Via Node.EXE
2id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
3status: test
4description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
5references:
6 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
7 - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
8 - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
9 - https://nodejs.org/api/cli.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/09/09
12modified: 2023/02/03
13tags:
14 - attack.defense_evasion
15 - attack.t1127
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\node.exe'
22 CommandLine|contains:
23 - ' -e '
24 - ' --eval '
25 # Add more pattern of abuse as actions
26 action_reverse_shell:
27 CommandLine|contains|all:
28 - '.exec('
29 - 'net.socket'
30 - '.connect'
31 - 'child_process'
32 condition: selection and 1 of action_*
33falsepositives:
34 - Unlikely
35level: high
References
Related rules
- Suspicious Child Process of AspNetCompiler
- Ilasm Lolbin Use Compile C-Sharp
- JSC Convert Javascript To Executable
- Kavremover Dropped Binary LOLBIN Usage
- Node Process Executions