Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of “.asar” file tampering (See reference section for more information) or binary execu
title: Suspicious Electron Application Child Processes
id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
related:
- id: 378a05d8-963c-46c9-bcce-13c7657eac99
type: similar
status: test
description: |
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
references:
- https://taggart-tech.com/quasar-electron/
- https://github.com/mttaggart/quasar
- https://positive.security/blog/ms-officecmd-rce
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
- https://lolbas-project.github.io/lolbas/Binaries/Teams/
- https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
- https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-21
modified: 2024-07-12
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more electron based app to the list
- '\chrome.exe' # Might require additional tuning
- '\discord.exe'
- '\GitHubDesktop.exe'
- '\keybase.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\msteams.exe'
- '\slack.exe'
- '\teams.exe'
# - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline
selection_child_image:
Image|endswith:
# Add more suspicious/unexpected paths
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\whoami.exe'
- '\wscript.exe'
selection_child_paths:
Image|contains:
# Add more suspicious/unexpected paths
- ':\ProgramData\'
- ':\Temp\'
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
filter_optional_discord:
ParentImage|endswith: '\Discord.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains: '\NVSMI\nvidia-smi.exe'
condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*
falsepositives:
- Unknown
# Increase the level once FP rate is reduced (see status)
level: medium
imProcessCreate
| where ((ParentProcessName endswith "\\chrome.exe" or ParentProcessName endswith "\\discord.exe" or ParentProcessName endswith "\\GitHubDesktop.exe" or ParentProcessName endswith "\\keybase.exe" or ParentProcessName endswith "\\msedge.exe" or ParentProcessName endswith "\\msedgewebview2.exe" or ParentProcessName endswith "\\msteams.exe" or ParentProcessName endswith "\\slack.exe" or ParentProcessName endswith "\\teams.exe") or (ActingProcessName endswith "\\chrome.exe" or ActingProcessName endswith "\\discord.exe" or ActingProcessName endswith "\\GitHubDesktop.exe" or ActingProcessName endswith "\\keybase.exe" or ActingProcessName endswith "\\msedge.exe" or ActingProcessName endswith "\\msedgewebview2.exe" or ActingProcessName endswith "\\msteams.exe" or ActingProcessName endswith "\\slack.exe" or ActingProcessName endswith "\\teams.exe")) and ((TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\whoami.exe" or TargetProcessName endswith "\\wscript.exe") or (TargetProcessName contains ":\\ProgramData\\" or TargetProcessName contains ":\\Temp\\" or TargetProcessName contains "\\AppData\\Local\\Temp\\" or TargetProcessName contains "\\Users\\Public\\" or TargetProcessName contains "\\Windows\\Temp\\")) and (not(((ParentProcessName endswith "\\Discord.exe" or ActingProcessName endswith "\\Discord.exe") and TargetProcessName endswith "\\cmd.exe" and TargetProcessCommandLine contains "\\NVSMI\\nvidia-smi.exe")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |