Suspicious Electron Application Child Processes
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
Sigma rule (View on GitHub)
1title: Suspicious Electron Application Child Processes
2id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
3related:
4 - id: 378a05d8-963c-46c9-bcce-13c7657eac99
5 type: similar
6status: experimental
7description: |
8 Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
9references:
10 - https://taggart-tech.com/quasar-electron/
11 - https://github.com/mttaggart/quasar
12 - https://positive.security/blog/ms-officecmd-rce
13 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
14 - https://lolbas-project.github.io/lolbas/Binaries/Teams/
15 - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
16 - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2022/10/21
19modified: 2023/09/05
20tags:
21 - attack.execution
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_parent:
27 ParentImage|endswith:
28 # Add more electron based app to the list
29 - '\chrome.exe' # Might require additional tuning
30 #- '\code.exe' # Requires additional baseline
31 - '\discord.exe'
32 - '\GitHubDesktop.exe'
33 - '\keybase.exe'
34 - '\msedge.exe'
35 - '\msedgewebview2.exe'
36 - '\msteams.exe'
37 - '\slack.exe'
38 - '\Teams.exe'
39 selection_child_image:
40 Image|endswith:
41 # Add more suspicious/unexpected paths
42 - '\cmd.exe'
43 - '\cscript.exe'
44 - '\mshta.exe'
45 - '\powershell.exe'
46 - '\pwsh.exe'
47 - '\regsvr32.exe'
48 - '\wscript.exe'
49 selection_child_paths:
50 Image|contains:
51 # Add more suspicious/unexpected paths
52 - '\AppData\Local\Temp\'
53 - '\Users\Public\'
54 - '\Windows\Temp\'
55 - ':\Temp\'
56 filter_main_chrome:
57 ParentImage|endswith: '\chrome.exe'
58 Image|endswith: '\chrome.exe'
59 #filter_main_code_1:
60 # ParentImage|endswith: '\code.exe'
61 # Image|endswith: '\code.exe'
62 #filter_main_code_2:
63 # # Note: As code allows many other programs its best to baseline this
64 # ParentImage|endswith: '\code.exe'
65 # Image|endswith:
66 # - '\cmd.exe'
67 # - '\powershell.exe'
68 filter_main_discord:
69 ParentImage|endswith: '\discord.exe'
70 Image|endswith: '\discord.exe'
71 filter_main_githubdesktop:
72 ParentImage|endswith: '\GitHubDesktop.exe'
73 Image|endswith: '\GitHubDesktop.exe'
74 filter_main_keybase:
75 ParentImage|endswith: '\keybase.exe'
76 Image|endswith: '\keybase.exe'
77 filter_main_msedge:
78 ParentImage|endswith: '\msedge.exe'
79 Image|endswith: '\msedge.exe'
80 filter_main_msedgewebview:
81 ParentImage|endswith: '\msedgewebview2.exe'
82 Image|endswith: '\msedgewebview2.exe'
83 filter_main_msteams:
84 ParentImage|endswith: '\msteams.exe'
85 Image|endswith: '\msteams.exe'
86 filter_main_slack:
87 ParentImage|endswith: '\slack.exe'
88 Image|endswith: '\slack.exe'
89 filter_main_teams:
90 ParentImage|endswith: '\teams.exe'
91 Image|endswith: '\teams.exe'
92 filter_main_werfault:
93 Image:
94 - 'C:\Windows\SysWOW64\WerFault.exe'
95 - 'C:\Windows\System32\WerFault.exe'
96 filter_optional_discord:
97 ParentImage|endswith: '\Discord.exe'
98 CommandLine|contains: '\NVSMI\nvidia-smi.exe'
99 condition: selection_parent and 1 of selection_child_* and not 1 of filter_main_* and not 1 of filter_optional_*
100falsepositives:
101 - Legitimate child processes can occur in cases of debugging
102# Increase the level once FP rate is known better (see status)
103level: medium
References
-
We've all heard how insecure Electron apps are. Here's a way to make that easy to demonstrate.
Read More -
quASAR: ASAR manipulation made easy. Contribute to mttaggart/quasar development by creating an account on GitHub.
Read More -
Chaining a misconfiguration in IE11/Edge Legacy with an argument injection in a Windows 10/11 default URI handler and a bypass for a previous Electron patch, we developed a drive-by RCE exploit for Windows 10. The main vulnerability in the ms-officecmd URI handler has not been patched yet and can also be triggered through other browsers (requires confirmation of an inconspicuous dialog) and desktop applications that allow URI opening.
Read More -
.. /Msedge.exe Star Download Execute Microsoft Edge browser Paths: c:\Program Files\Microsoft\Edge\Application\msedge.exe c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Resources: htt...
Read More -
.. /Teams.exe Microsoft Teams Paths: c:\Users\username\AppData\Local\Microsoft\Teams\current\Teams.exe Acknowledgements: Execute Teams spawns cmd.exe as a child process of teams.exe and executes th...
Read More -
.. /msedgewebview2.exe msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content. Paths: C:\Program Files (x8...
Read More -
Related rules
- Potentially Suspicious Electron Application CommandLine
- ESXi Admin Permission Assigned To Account Via ESXCLI
- ESXi VM Kill Via ESXCLI
- Qakbot Uninstaller Execution
- Possible Impacket DCOMExec Connection Attempt - Zeek