Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Electron Application CommandLine
2id: 378a05d8-963c-46c9-bcce-13c7657eac99
3related:
4 - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
5 type: similar
6status: test
7description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
8references:
9 - https://positive.security/blog/ms-officecmd-rce
10 - https://lolbas-project.github.io/lolbas/Binaries/Teams/
11 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
12 - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
13 - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
14 - https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc
15author: frack113, Nasreddine Bencherchali (Nextron Systems)
16date: 2023-09-05
17modified: 2023-11-09
18tags:
19 - attack.execution
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith:
26 # Add more electron based app to the list
27 - '\chrome.exe'
28 - '\code.exe'
29 - '\discord.exe'
30 - '\GitHubDesktop.exe'
31 - '\keybase.exe'
32 - '\msedge_proxy.exe'
33 - '\msedge.exe'
34 - '\msedgewebview2.exe'
35 - '\msteams.exe'
36 - '\slack.exe'
37 - '\Teams.exe'
38 - OriginalFileName:
39 # Add more electron based app to the list
40 - 'chrome.exe'
41 - 'code.exe'
42 - 'discord.exe'
43 - 'GitHubDesktop.exe'
44 - 'keybase.exe'
45 - 'msedge_proxy.exe'
46 - 'msedge.exe'
47 - 'msedgewebview2.exe'
48 - 'msteams.exe'
49 - 'slack.exe'
50 - 'Teams.exe'
51 selection_cli:
52 CommandLine|contains:
53 - '--browser-subprocess-path'
54 - '--gpu-launcher'
55 - '--renderer-cmd-prefix'
56 - '--utility-cmd-prefix'
57 condition: all of selection_*
58falsepositives:
59 - Legitimate usage for debugging purposes
60# Increase the level once FP rate is known better (see status)
61level: medium
References
-
Chaining a misconfiguration in IE11/Edge Legacy with an argument injection in a Windows 10/11 default URI handler and a bypass for a previous Electron patch, we developed a drive-by RCE exploit for Windows 10. The main vulnerability in the ms-officecmd URI handler has not been patched yet and can also be triggered through other browsers (requires confirmation of an inconspicuous dialog) and desktop applications that allow URI opening.
Read More -
Msedge.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
msedgewebview2.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
// Copyright (c) 2012 The Chromium Authors. All rights reserved.// Use of this source code is governed by a BSD-style license that can be// found in the LICENSE file.#include "content/public/common...
Read More
Related rules
- Add Potential Suspicious New Download Source To Winget
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via Squirrel.EXE
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)