Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Sigma rule (View on GitHub)
1title: Node Process Executions
2id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
3status: test
4description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
5references:
6 - https://twitter.com/mttaggart/status/1511804863293784064
7author: Max Altgelt (Nextron Systems)
8date: 2022-04-06
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - attack.t1127
13 - attack.t1059.007
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
20 filter:
21 CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- HackTool - CACTUSTORCH Remote Thread Creation
- MSHTA Execution with Suspicious File Extensions
- Suspicious Use of CSharp Interactive Console
- Potential SquiblyTwo Technique Execution
- Csc.EXE Execution Form Potentially Suspicious Parent