security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Suspicious React Server Child Process (#5447)

Browse Source 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml
This commit is contained in:
Samirbous
2025-12-12 10:40:23 +00:00
committed by GitHub
parent cabf1c2a02
commit fcb6c3c433
1 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/initial_access_execution_susp_react_serv_child.toml
+3 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/04"
integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/12/08"
updated_date = "2025/12/10"
[rule]
author = ["Elastic"]
@@ -101,12 +101,11 @@ process where event.type == "start" and event.action in ("exec", "executed", "st
)
and (
?process.working_directory : (
"*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*",
"*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
"*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*.pnpm/next*", "*next/dist/server*", "*react-scripts*") or
(
process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
process.parent.command_line : (
"*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "*server.js*", "*bin/next*",
"*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "* server.js*", "*start-server.js*", "*bin/next*",
"*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"
)
)