Detection rules › Sigma
Unsigned .node File Loaded
Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1129 Shared Modules |
| Persistence | T1574.001 Hijack Execution Flow: DLL |
| Privilege Escalation | T1574.001 Hijack Execution Flow: DLL |
| Defense Evasion | T1036.005 Masquerading: Match Legitimate Resource Name or Location, T1574.001 Hijack Execution Flow: DLL |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: all of selection_node_extension
ImageLoaded|endswith: .node
Stage 2: all of selection_status
or:
SignatureStatus: Unavailable
Signed: false
Stage 3: not 1 of filter_optional_vscode_jupyter
or:
ImageLoaded|endswith: '\electron.napi.node'
ImageLoaded|endswith: '\node.napi.glibc.node'
Image|endswith: '\Code.exe'
ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
ImageLoaded | ends_with |
|
ImageLoaded | match |
|
SignatureStatus | eq |
|
Signed | eq |
|