title: Node.exe Process Abuse
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: experimental
description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
    - https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali
date: 2022/09/09
tags:
    - attack.defense_evasion
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - ' -e '
            - ' --eval '
    # Add more pattern of abuse as actions
    action_reverse_shell:
        CommandLine|contains|all:
            - '.exec('
            - 'net.socket'
            - '.connect'
            - 'child_process'
    condition: selection and 1 of action_*
falsepositives:
    - Unlikely
level: high