rules/windows/process_creation/proc_creation_win_node_abuse.yml

title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
    - https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.defense-evasion
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - ' -e '
            - ' --eval '
    # Add more pattern of abuse as actions
    selection_action_reverse_shell:
        CommandLine|contains|all:
            - '.exec('
            - 'net.socket'
            - '.connect'
            - 'child_process'
    condition: selection_main and 1 of selection_action_*
falsepositives:
    - Unlikely
level: high
feat: even more updates 2023-02-03 20:17:09 +01:00			`title: Potential Arbitrary Code Execution Via Node.EXE`
Big Update 2022-09-09 15:02:31 +02:00			`id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd`
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test` 2023-12-01 12:50:36 +01:00			`status: test`
fix: typos in multiple rules (#4011 ) 2023-02-06 13:53:23 +01:00			`description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc`
Big Update 2022-09-09 15:02:31 +02:00			`references:`
			`- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html`
			`- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return`
			`- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/`
			`- https://nodejs.org/api/cli.html`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Nasreddine Bencherchali (Nextron Systems)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-09-09`
			`modified: 2023-02-03`
Big Update 2022-09-09 15:02:31 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
Big Update 2022-09-09 15:02:31 +02:00			`- attack.t1127`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Merge PR #4912 from @nasbench - update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml` 2024-07-11 11:24:01 +02:00			`selection_main:`
Big Update 2022-09-09 15:02:31 +02:00			`Image\|endswith: '\node.exe'`
			`CommandLine\|contains:`
			`- ' -e '`
			`- ' --eval '`
			`# Add more pattern of abuse as actions`
Merge PR #4912 from @nasbench - update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml` 2024-07-11 11:24:01 +02:00			`selection_action_reverse_shell:`
Big Update 2022-09-09 15:02:31 +02:00			`CommandLine\|contains\|all:`
			`- '.exec('`
			`- 'net.socket'`
			`- '.connect'`
			`- 'child_process'`
Merge PR #4912 from @nasbench - update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml` 2024-07-11 11:24:01 +02:00			`condition: selection_main and 1 of selection_action_*`
Big Update 2022-09-09 15:02:31 +02:00			`falsepositives:`
			`- Unlikely`
			`level: high`