35 lines
1.2 KiB
YAML
35 lines
1.2 KiB
YAML
|
title: Node.exe Process Abuse
|
||
|
|
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
|
||
|
|
status: experimental
|
||
|
|
description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
|
||
|
|
references:
|
||
|
|
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
|
||
|
|
- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
|
||
|
|
- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
|
||
|
|
- https://nodejs.org/api/cli.html
|
||
|
|
author: Nasreddine Bencherchali
|
||
|
|
date: 2022/09/09
|
||
|
|
tags:
|
||
|
|
- attack.defense_evasion
|
||
|
|
- attack.t1127
|
||
|
|
logsource:
|
||
|
|
category: process_creation
|
||
|
|
product: windows
|
||
|
|
detection:
|
||
|
|
selection:
|
||
|
|
Image|endswith: '\node.exe'
|
||
|
|
CommandLine|contains:
|
||
|
|
- ' -e '
|
||
|
|
- ' --eval '
|
||
|
|
# Add more pattern of abuse as actions
|
||
|
|
action_reverse_shell:
|
||
|
|
CommandLine|contains|all:
|
||
|
|
- '.exec('
|
||
|
|
- 'net.socket'
|
||
|
|
- '.connect'
|
||
|
|
- 'child_process'
|
||
|
|
condition: selection and 1 of action_*
|
||
|
|
falsepositives:
|
||
|
|
- Unlikely
|
||
|
|
level: high
|