From 3cddcc906dcb275d2b2f034d669dc43b25973fa5 Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Thu, 7 Apr 2022 09:08:21 +0200
Subject: [PATCH] feat: Add new rule for Creative Cloud node abuse

---
 ...creation_win_creative_cloud_node_abuse.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml

diff --git a/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml
new file mode 100644
index 000000000..4c5224800
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml
@@ -0,0 +1,28 @@
+title: Node Process Executions
+id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
+status: experimental
+description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
+references:
+    - https://twitter.com/mttaggart/status/1511804863293784064
+author: Max Altgelt
+date: 2022/04/06
+tags:
+    - attack.defense_evasion
+    - attack.t1127
+    - attack.t1059.007
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
+    filter:
+        CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
+    condition: selection and not filter
+fields:
+    - Image
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: medium