Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Arbitrary Code Execution Via Node.EXE

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Sep 09Updated Fri Feb 036640f31c-01ad-49b5-beb5-83498a5cd8bdwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_main:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - ' -e '
            - ' --eval '
    # Add more pattern of abuse as actions
    selection_action_reverse_shell:
        CommandLine|contains|all:
            - '.exec('
            - 'net.socket'
            - '.connect'
            - 'child_process'
    condition: selection_main and 1 of selection_action_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
blog.talosintelligence.com
2
Resolving title…
sprocketsecurity.com
3
Resolving title…
rapid7.com
4
Resolving title…
nodejs.org
MITRE ATT&CK
Rule Metadata
Rule ID
6640f31c-01ad-49b5-beb5-83498a5cd8bd
Status
test
Level
high
Type
Detection
Created
Fri Sep 09
Modified
Fri Feb 03
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_node_abuse.yml
Raw Tags
attack.defense-evasionattack.t1127
View on GitHub