Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Sigma rule (View on GitHub)
1title: Node Process Executions
2id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
3status: test
4description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
5references:
6 - https://twitter.com/mttaggart/status/1511804863293784064
7author: Max Altgelt (Nextron Systems)
8date: 2022-04-06
9tags:
10 - attack.defense-evasion
11 - attack.t1127
12 - attack.t1059.007
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
19 filter:
20 CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
21 condition: selection and not filter
22fields:
23 - Image
24 - CommandLine
25 - ParentCommandLine
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- AspNetCompiler Execution
- C# IL Code Compilation Via Ilasm.EXE
- Csc.EXE Execution Form Potentially Suspicious Parent
- Detection of PowerShell Execution via Sqlps.exe
- HTML Help HH.EXE Suspicious Child Process