Sigma rules · CVE-2022-0435 · threatengine.sh

Home/CVE-2022-0435/Sigma rules

Sigma

Sigma rules for CVE-2022-0435

4 rules · scoped to cve · back to CVE-2022-0435

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

4 of 4

direct high

Potential Arbitrary Code Execution Via Node.EXE

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

status test author Nasreddine Bencherchali (Nextron Systems) id 6640f31c-01ad-49b5-beb5-83498a5cd8bd license Sigma · DRL-1.1

view Sigma YAML

title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
    - https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - ' -e '
            - ' --eval '
    # Add more pattern of abuse as actions
    selection_action_reverse_shell:
        CommandLine|contains|all:
            - '.exec('
            - 'net.socket'
            - '.connect'
            - 'child_process'
    condition: selection_main and 1 of selection_action_*
falsepositives:
    - Unlikely
level: high

direct medium

Node Process Executions

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

status test author Max Altgelt (Nextron Systems) id df1f26d3-bea7-4700-9ea2-ad3e990cf90e license Sigma · DRL-1.1

view Sigma YAML

title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
    - https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
    filter:
        CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

direct medium

Unsigned .node File Loaded

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

status experimental author Jonathan Beierle (@hullabrian) id e5f5c693-52d7-4de5-88ae-afbfbce85595 license Sigma · DRL-1.1

view Sigma YAML

title: Unsigned .node File Loaded
id: e5f5c693-52d7-4de5-88ae-afbfbce85595
status: experimental
description: |
    Detects the loading of unsigned .node files.
    Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
    .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
    This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
references:
    - https://www.coreycburton.com/blog/driploader-case-study
    - https://github.com/CoreyCBurton/DripLoaderNG
    - https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
author: Jonathan Beierle (@hullabrian)
date: 2025-11-22
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1129
    - attack.t1574.001
    - attack.t1036.005
logsource:
    category: image_load
    product: windows
detection:
    selection_node_extension:
        ImageLoaded|endswith: '.node'
    selection_status:
        - Signed: 'false'
        - SignatureStatus: 'Unavailable'
    filter_optional_vscode_jupyter:
        Image|endswith: '\Code.exe'
        ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
        ImageLoaded|endswith:
            - '\electron.napi.node'
            - '\node.napi.glibc.node'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
level: medium

direct medium

Powershell Detect Virtualization Environment

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox

status test author frack113, Duc.Le-GTSC id d93129cd-1ee0-479f-bc03-ca6f129882e3 license Sigma · DRL-1.1

view Sigma YAML

title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: test
description: |
    Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
    This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
author: frack113, Duc.Le-GTSC
date: 2021-08-03
modified: 2022-03-03
tags:
    - attack.discovery
    - attack.stealth
    - attack.t1497.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_action:
        ScriptBlockText|contains:
            - Get-WmiObject
            - gwmi
    selection_module:
        ScriptBlockText|contains:
            - MSAcpi_ThermalZoneTemperature
            - Win32_ComputerSystem
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

Showing 1-4 of 4

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin