Detectionhightest

Potential RCE Exploitation Attempt In NodeJS

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Moti HarmatsCreated Sat Feb 1197661d9d-2beb-4630-b423-68985291a8afapplication

Log Source

nodejsapplication

Productnodejs← raw: nodejs

Categoryapplication← raw: application

Definition

Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)

Detection Logic

detection:
    keywords:
        - 'node:child_process'
    condition: keywords

False Positives

Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

97661d9d-2beb-4630-b423-68985291a8af

Status

test

Level

high

Type

Detection

Created

Sat Feb 11

Author

Path

rules/application/nodejs/nodejs_rce_exploitation_attempt.yml

Raw Tags

attack.initial-accessattack.t1190