Sigma rules for CVE-2013-0293
3 rules · scoped to cve · back to CVE-2013-0293
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
- https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_main:
Image|endswith: '\node.exe'
CommandLine|contains:
- ' -e '
- ' --eval '
# Add more pattern of abuse as actions
selection_action_reverse_shell:
CommandLine|contains|all:
- '.exec('
- 'net.socket'
- '.connect'
- 'child_process'
condition: selection_main and 1 of selection_action_*
falsepositives:
- Unlikely
level: high
title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
- https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
filter:
CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
condition: selection and not filter
falsepositives:
- Unknown
level: medium
title: Unsigned .node File Loaded
id: e5f5c693-52d7-4de5-88ae-afbfbce85595
status: experimental
description: |
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
references:
- https://www.coreycburton.com/blog/driploader-case-study
- https://github.com/CoreyCBurton/DripLoaderNG
- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
author: Jonathan Beierle (@hullabrian)
date: 2025-11-22
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1129
- attack.t1574.001
- attack.t1036.005
logsource:
category: image_load
product: windows
detection:
selection_node_extension:
ImageLoaded|endswith: '.node'
selection_status:
- Signed: 'false'
- SignatureStatus: 'Unavailable'
filter_optional_vscode_jupyter:
Image|endswith: '\Code.exe'
ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
ImageLoaded|endswith:
- '\electron.napi.node'
- '\node.napi.glibc.node'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
level: medium