Detection rules › Sigma
Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1127 Trusted Developer Utilities Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection_main
or:
CommandLine|contains: ' --eval '
CommandLine|contains: ' -e '
Image|endswith: '\node.exe'
Stage 2: 1 of selection_action_reverse_shell
CommandLine|contains: .connect
CommandLine|contains: '.exec('
CommandLine|contains: child_process
CommandLine|contains: net.socket
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|