Detectionmediumexperimental

Unsigned .node File Loaded

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Jonathan BeierleCreated Sat Nov 22e5f5c693-52d7-4de5-88ae-afbfbce85595windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection_node_extension:
        ImageLoaded|endswith: '.node'
    selection_status:
        - Signed: 'false'
        - SignatureStatus: 'Unavailable'
    filter_optional_vscode_jupyter:
        Image|endswith: '\Code.exe'
        ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
        ImageLoaded|endswith:
            - '\electron.napi.node'
            - '\node.napi.glibc.node'
    condition: all of selection_* and not 1 of filter_optional_*

False Positives

VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1129 · Shared Modules