Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Sigma rule (View on GitHub)
1title: Node Process Executions
2id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
3status: test
4description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
5references:
6 - https://twitter.com/mttaggart/status/1511804863293784064
7author: Max Altgelt (Nextron Systems)
8date: 2022-04-06
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - attack.t1127
13 - attack.t1059.007
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
20 filter:
21 CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
22 condition: selection and not filter
23fields:
24 - Image
25 - CommandLine
26 - ParentCommandLine
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Suspicious Use of CSharp Interactive Console
- Potential SquiblyTwo Technique Execution
- Csc.EXE Execution Form Potentially Suspicious Parent
- Detection of PowerShell Execution via Sqlps.exe
- HTML Help HH.EXE Suspicious Child Process