Nasreddine Bencherchali
35 lines
1.2 KiB
YAML
35 lines
1.2 KiB
YAML
title: Node.exe Process Abuse
|
|
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
|
|
status: experimental
|
|
description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
|
|
references:
|
|
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
|
|
- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
|
|
- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
|
|
- https://nodejs.org/api/cli.html
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/09/09
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1127
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Image|endswith: '\node.exe'
|
|
CommandLine|contains:
|
|
- ' -e '
|
|
- ' --eval '
|
|
# Add more pattern of abuse as actions
|
|
action_reverse_shell:
|
|
CommandLine|contains|all:
|
|
- '.exec('
|
|
- 'net.socket'
|
|
- '.connect'
|
|
- 'child_process'
|
|
condition: selection and 1 of action_*
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|