security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ced93a8d170e80984da789df820e07104f2df9bf
blue-team-tools/rules/windows/process_creation/proc_creation_win_node_abuse.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

36 lines
1.3 KiB
YAML
Raw Blame History

title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
- https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
- attack.defense-evasion
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_main:
Image|endswith: '\node.exe'
CommandLine|contains:
- ' -e '
- ' --eval '
# Add more pattern of abuse as actions
selection_action_reverse_shell:
CommandLine|contains|all:
- '.exec('
- 'net.socket'
- '.connect'
- 'child_process'
condition: selection_main and 1 of selection_action_*
falsepositives:
- Unlikely
level: high
Reference in New Issue View Git Blame Copy Permalink