Emerging Threathighexperimental

Linux Suspicious Child Process from Node.js - React2Shell

Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell). This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands. When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>). For other methods, the Image field will show the spawned process directly.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Fri Dec 05c70834fa-fb9d-4aa0-9e7d-45ceed36f3f72025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_parent:
        ParentImage|endswith: '/node'
        ParentCommandLine|contains:
            - '--experimental-https'
            - '--experimental-next-config-strip-types'
            - '/node_modules/next'
            - 'next dev'
            - 'next start'
            - 'node_modules/.bin'
            - 'react-scripts start'
            - 'start-server.js'
    selection_generic_child_img:
        # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes in exploit
        - Image|endswith:
              - '/busybox'
              - '/cat'
              - '/curl'
              - '/dash'
              - '/dig'
              - '/head'
              - '/id'
              - '/ifconfig'
              - '/ip'
              - '/java'
              - '/less'
              - '/lua'
              - '/more'
              - '/nc'
              - '/ncat'
              - '/netcat'
              - '/netstat'
              - '/nslookup'
              - '/perl'
              - '/ping'
              - '/python'
              - '/python2'
              - '/ruby'
              - '/socat'
              - '/tail'
              - '/wget'
              - '/whoami'
        - Image|contains: '/python'
    selection_generic_child_cli:
        # Observed when child_process.execSync() is used to spawn suspicious processes
        # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
        # By default, the cli will look something like `/bin/sh -c .......`
        CommandLine|contains:
            - '/dev/tcp/'
            - '/dev/udp/'
            - '/etc/hosts'
            - '/etc/passwd'
            - '/etc/shadow'
            - 'base64'
            - 'cat '
            - 'curl'
            - 'dig'
            - 'ifconfig'
            - 'IO::Socket::INET'
            - 'java'
            - 'less '
            - 'lua'
            - 'mkfifo '
            - 'more'
            - 'nc '
            - 'ncat'
            - 'netcat'
            - 'netstat'
            - 'nslookup'
            - 'perl'
            - 'php'
            - 'ping'
            - 'ps -ef'
            - 'ps aux'
            - 'python'
            - 'rcat'
            - 'ruby'
            - 'sh -i 2>&1'
            - '-c id'
            - 'socat'
            - 'uname'
            - 'wget'
            - 'whoami'
    selection_specific_sh:
        Image|endswith: '/sh'
    selection_specific_cli:
        Image|endswith: '-c'
    filter_main_default_shell_flag:
        Image|endswith: '-c'
    condition:
        selection_parent and
        (
            1 of selection_generic_*
            or
            (selection_specific_sh and not filter_main_default_shell_flag)
            or
            (all of selection_specific_* and selection_generic_child_cli)
        )

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0001 · Initial Access

Techniques

T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing Application

Other

detection.emerging-threatscve.2025-55182

Related Rules

SimilarEmerging Threathigh

Windows Suspicious Child Process from Node.js - React2Shell

Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell). Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync(). If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked. For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7

Status

experimental

Level

high

Type

Emerging Threat

Created

Fri Dec 05

Author

Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_lnx_exploit_cve_2025_55182_susp_nodejs_server_child_process.yml

Raw Tags

attack.executionattack.t1059attack.initial-accessattack.t1190detection.emerging-threatscve.2025-55182

View on GitHub