Suspicious Electron Application Child Processes
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
Sigma rule (View on GitHub)
1title: Suspicious Electron Application Child Processes
2id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
3related:
4 - id: 378a05d8-963c-46c9-bcce-13c7657eac99
5 type: similar
6status: test
7description: |
8 Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
9references:
10 - https://taggart-tech.com/quasar-electron/
11 - https://github.com/mttaggart/quasar
12 - https://positive.security/blog/ms-officecmd-rce
13 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
14 - https://lolbas-project.github.io/lolbas/Binaries/Teams/
15 - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
16 - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2022-10-21
19modified: 2024-07-12
20tags:
21 - attack.execution
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_parent:
27 ParentImage|endswith:
28 # Add more electron based app to the list
29 - '\chrome.exe' # Might require additional tuning
30 - '\discord.exe'
31 - '\GitHubDesktop.exe'
32 - '\keybase.exe'
33 - '\msedge.exe'
34 - '\msedgewebview2.exe'
35 - '\msteams.exe'
36 - '\slack.exe'
37 - '\teams.exe'
38 # - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline
39 selection_child_image:
40 Image|endswith:
41 # Add more suspicious/unexpected paths
42 - '\cmd.exe'
43 - '\cscript.exe'
44 - '\mshta.exe'
45 - '\powershell.exe'
46 - '\pwsh.exe'
47 - '\regsvr32.exe'
48 - '\whoami.exe'
49 - '\wscript.exe'
50 selection_child_paths:
51 Image|contains:
52 # Add more suspicious/unexpected paths
53 - ':\ProgramData\'
54 - ':\Temp\'
55 - '\AppData\Local\Temp\'
56 - '\Users\Public\'
57 - '\Windows\Temp\'
58 filter_optional_discord:
59 ParentImage|endswith: '\Discord.exe'
60 Image|endswith: '\cmd.exe'
61 CommandLine|contains: '\NVSMI\nvidia-smi.exe'
62 condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*
63falsepositives:
64 - Unknown
65# Increase the level once FP rate is reduced (see status)
66level: medium
References
-
We've all heard how insecure Electron apps are. Here's a way to make that easy to demonstrate.
Read More -
quASAR: ASAR manipulation made easy. Contribute to mttaggart/quasar development by creating an account on GitHub.
Read More -
Chaining a misconfiguration in IE11/Edge Legacy with an argument injection in a Windows 10/11 default URI handler and a bypass for a previous Electron patch, we developed a drive-by RCE exploit for Windows 10. The main vulnerability in the ms-officecmd URI handler has not been patched yet and can also be triggered through other browsers (requires confirmation of an inconspicuous dialog) and desktop applications that allow URI opening.
Read More -
Msedge.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
msedgewebview2.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change