Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Electron Application Child Processes

Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Oct 21Updated Fri Jul 12f26eb764-fd89-464b-85e2-dc4a8e6e77b8windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_parent:
        ParentImage|endswith:
            # Add more electron based app to the list
            - '\chrome.exe' # Might require additional tuning
            - '\discord.exe'
            - '\GitHubDesktop.exe'
            - '\keybase.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\msteams.exe'
            - '\slack.exe'
            - '\teams.exe'
            # - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline
    selection_child_image:
        Image|endswith:
            # Add more suspicious/unexpected paths
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\whoami.exe'
            - '\wscript.exe'
    selection_child_paths:
        Image|contains:
            # Add more suspicious/unexpected paths
            - ':\ProgramData\'
            - ':\Temp\'
            - '\AppData\Local\Temp\'
            - '\Users\Public\'
            - '\Windows\Temp\'
    filter_optional_discord:
        ParentImage|endswith: '\Discord.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '\NVSMI\nvidia-smi.exe'
    condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
taggart-tech.com
2
Resolving title…
github.com
3
Resolving title…
positive.security
4
Resolving title…
lolbas-project.github.io
5
Resolving title…
lolbas-project.github.io
6
Resolving title…
lolbas-project.github.io
7
Resolving title…
medium.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Potentially Suspicious Electron Application CommandLine

Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
f26eb764-fd89-464b-85e2-dc4a8e6e77b8
Status
test
Level
medium
Type
Detection
Created
Fri Oct 21
Modified
Fri Jul 12
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml
Raw Tags
attack.execution
View on GitHub