Suspicious Electron Application Child Processes

  1title: Suspicious Electron Application Child Processes
  2id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
  3related:
  4    - id: 378a05d8-963c-46c9-bcce-13c7657eac99
  5      type: similar
  6status: experimental
  7description: |
  8        Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
  9references:
 10    - https://taggart-tech.com/quasar-electron/
 11    - https://github.com/mttaggart/quasar
 12    - https://positive.security/blog/ms-officecmd-rce
 13    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
 14    - https://lolbas-project.github.io/lolbas/Binaries/Teams/
 15    - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
 16    - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
 17author: Nasreddine Bencherchali (Nextron Systems)
 18date: 2022/10/21
 19modified: 2023/09/05
 20tags:
 21    - attack.execution
 22logsource:
 23    category: process_creation
 24    product: windows
 25detection:
 26    selection_parent:
 27        ParentImage|endswith:
 28            # Add more electron based app to the list
 29            - '\chrome.exe' # Might require additional tuning
 30            # - '\code.exe' # Requires additional baseline
 31            - '\discord.exe'
 32            - '\GitHubDesktop.exe'
 33            - '\keybase.exe'
 34            - '\msedge.exe'
 35            - '\msedgewebview2.exe'
 36            - '\msteams.exe'
 37            - '\slack.exe'
 38            - '\Teams.exe'
 39    selection_child_image:
 40        Image|endswith:
 41            # Add more suspicious/unexpected paths
 42            - '\cmd.exe'
 43            - '\cscript.exe'
 44            - '\mshta.exe'
 45            - '\powershell.exe'
 46            - '\pwsh.exe'
 47            - '\regsvr32.exe'
 48            - '\wscript.exe'
 49    selection_child_paths:
 50        Image|contains:
 51            # Add more suspicious/unexpected paths
 52            - '\AppData\Local\Temp\'
 53            - '\Users\Public\'
 54            - '\Windows\Temp\'
 55            - ':\Temp\'
 56    filter_main_chrome:
 57        ParentImage|endswith: '\chrome.exe'
 58        Image|endswith: '\chrome.exe'
 59    # filter_main_code_1:
 60    #     ParentImage|endswith: '\code.exe'
 61    #     Image|endswith: '\code.exe'
 62    # filter_main_code_2:
 63    #     # Note: As code allows many other programs its best to baseline this
 64    #     ParentImage|endswith: '\code.exe'
 65    #     Image|endswith:
 66    #         - '\cmd.exe'
 67    #         - '\powershell.exe'
 68    filter_main_discord:
 69        ParentImage|endswith: '\discord.exe'
 70        Image|endswith: '\discord.exe'
 71    filter_main_githubdesktop:
 72        ParentImage|endswith: '\GitHubDesktop.exe'
 73        Image|endswith: '\GitHubDesktop.exe'
 74    filter_main_keybase:
 75        ParentImage|endswith: '\keybase.exe'
 76        Image|endswith: '\keybase.exe'
 77    filter_main_msedge:
 78        ParentImage|endswith: '\msedge.exe'
 79        Image|endswith: '\msedge.exe'
 80    filter_main_msedgewebview:
 81        ParentImage|endswith: '\msedgewebview2.exe'
 82        Image|endswith: '\msedgewebview2.exe'
 83    filter_main_msteams:
 84        ParentImage|endswith: '\msteams.exe'
 85        Image|endswith: '\msteams.exe'
 86    filter_main_slack:
 87        ParentImage|endswith: '\slack.exe'
 88        Image|endswith: '\slack.exe'
 89    filter_main_teams:
 90        ParentImage|endswith: '\teams.exe'
 91        Image|endswith: '\teams.exe'
 92    filter_main_werfault:
 93        Image:
 94            - 'C:\Windows\SysWOW64\WerFault.exe'
 95            - 'C:\Windows\System32\WerFault.exe'
 96    filter_optional_discord:
 97        ParentImage|endswith: '\Discord.exe'
 98        CommandLine|contains: '\NVSMI\nvidia-smi.exe'
 99    condition: selection_parent and 1 of selection_child_* and not 1 of filter_main_* and not 1 of filter_optional_*
100falsepositives:
101    - Legitimate child processes can occur in cases of debugging
102# Increase the level once FP rate is known better (see status)
103level: medium

References

• Quasar: Compromising Electron Apps

  

  We've all heard how insecure Electron apps are. Here's a way to make that easy to demonstrate.

  
  Read More

• GitHub - mttaggart/quasar: quASAR: ASAR manipulation made easy

  

  quASAR: ASAR manipulation made easy. Contribute to mttaggart/quasar development by creating an account on GitHub.

  
  Read More

• Windows 10 RCE: The exploit is in the link | Positive Security

  

  Chaining a misconfiguration in IE11/Edge Legacy with an argument injection in a Windows 10/11 default URI handler and a bypass for a previous Electron patch, we developed a drive-by RCE exploit for Windows 10. The main vulnerability in the ms-officecmd URI handler has not been patched yet and can also be triggered through other browsers (requires confirmation of an inconspicuous dialog) and desktop applications that allow URI opening.

  
  Read More

• Msedge | LOLBAS

  Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen. msedge.exe https://example.com/file.exe.txt Use caseDownload file from t...

  
  Read More

• https://lolbas-project.github.io/lolbas/Binaries/Teams/

  
  Read More

• Msedgewebview2 | LOLBAS

  msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content. This command launches the Microsoft Edge WebView2 ...

  
  Read More

• One Electron to Rule Them All

  

  Uriel Kosayev — @MalFuzzer

  
  Read More

Related rules

• Abusable DLL Potential Sideloading From Suspicious Location
• Adwind RAT / JRAT
• Adwind RAT / JRAT File Artifact
• Antivirus Hacktool Detection
• Azure Kubernetes CronJob