Windows Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell). Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync(). If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked. For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_parent:
ParentImage|endswith: '\node.exe'
ParentCommandLine|contains:
- '--experimental-https'
- '--experimental-next-config-strip-types'
- '\node_modules\next'
- 'next dev'
- 'next start'
- 'next" start'
- 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion
- 'react-scripts start'
- 'start-server.js'
selection_generic_child_img:
# Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes
- Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\nslookup.exe'
- '\OpenConsole.exe'
- '\perl.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\py.exe'
- '\python.exe'
- '\pythonw.exe'
- '\pyw.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\wget.exe'
- '\whoami.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wt.exe'
- Image|contains: '\python'
selection_generic_child_cli_susp_pattern:
# Observed when child_process.execSync() is used to spawn suspicious processes
# Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
# In default, the cli will look something like `C:\WINDOWS\System32\cmd.exe /d /s /c "...susp..cli...."`
CommandLine|contains:
- '\net'
- 'bitsadmin'
- 'certutil '
- 'conhost --headless'
- 'cscript '
- 'curl'
- 'ipconfig'
- 'java'
- 'lua'
- 'mshta'
- 'netsh'
- 'nslookup '
- 'perl'
- 'ping '
- 'powershell'
- 'pwsh'
- 'python'
- 'reg '
- 'reg.exe'
- 'regsvr32'
- 'ruby'
- 'rundll32'
- 'sc.exe'
- 'systeminfo'
- 'wget'
- 'whoami'
- 'wmic'
- 'wscript'
selection_specific_cmd:
Image|endswith: '\cmd.exe'
selection_specific_cli:
CommandLine|contains: '/d /s /c '
filter_main_default_shell_flag:
CommandLine|contains: '/d /s /c '
filter_main_cli_git:
CommandLine|contains: 'git config --local --get remote.origin.url'
filter_main_cli_netstat:
CommandLine|contains|all:
- 'netstat -ano | findstr /C:'
- ' | findstr LISTENING'
filter_main_cli_mkcert_install:
CommandLine|contains|all:
- '\mkcert\'
- ' -install '
filter_main_cli_mkcert_caroot:
CommandLine|contains|all:
- '\mkcert\'
- ' -CAROOT'
condition:
selection_parent and
(
1 of selection_generic_*
or
(selection_specific_cmd and not filter_main_default_shell_flag)
or
(all of selection_specific_* and not 1 of filter_main_cli_*)
)False positive likelihood has not been assessed. Additional context may be needed during triage.
Other