n8n Improper Control of Dynamically-Managed Code Resources (CVE-2025-68613)

let n8n_processes = DeviceProcessEvents
| where FileName in~ ("node", "node.exe") or ProcessCommandLine has "n8n"
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName;
let suspicious_children = DeviceProcessEvents
| where InitiatingProcessFileName in~ ("node", "node.exe")
| where FileName in~ ("sh", "bash", "cmd.exe", "powershell.exe", "python", "python3", "wget", "curl", "nc", "ncat", "perl", "ruby")
    or ProcessCommandLine has_any ("chmod", "chown", "/etc/passwd", "/etc/shadow", "base64", "whoami", "id", "net user", "net localgroup", "certutil", "bitsadmin")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessFileName;
let n8n_network = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("node", "node.exe")
| where RemotePort !in (5678, 443, 80, 8080)
| where RemoteIPType != "Private"
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine;
let n8n_file_writes = DeviceFileEvents
| where InitiatingProcessFileName in~ ("node", "node.exe")
| where FolderPath has_any ("/tmp", "/var/tmp", "C:\\Windows\\Temp", "%TEMP%", "/dev/shm")
    or FileName has_any (".sh", ".ps1", ".bat", ".py", ".exe", ".elf")
| project DeviceId, DeviceName, Timestamp, FileName, FolderPath, InitiatingProcessFileName;
suspicious_children
| union (n8n_network | project DeviceId, DeviceName, Timestamp, ProcessId = 0, FileName = InitiatingProcessFileName, ProcessCommandLine = strcat(RemoteIP, ":", tostring(RemotePort)), InitiatingProcessId = 0, InitiatingProcessFileName)
| union (n8n_file_writes | project DeviceId, DeviceName, Timestamp, ProcessId = 0, FileName, ProcessCommandLine = FolderPath, InitiatingProcessId = 0, InitiatingProcessFileName)
| summarize EventCount = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp), Commands = make_set(ProcessCommandLine, 20) by DeviceId, DeviceName, InitiatingProcessFileName
| where EventCount >= 1
| extend AlertTitle = "CVE-2025-68613: Potential n8n Code Execution Exploitation"
| project AlertTitle, DeviceName, DeviceId, FirstSeen, LastSeen, EventCount, Commands

index=* sourcetype IN ("sysmon", "linux:audit", "osquery:results", "crowdstrike:events:sensor")
(EventCode=1 OR EventID=1 OR event_simpleName=ProcessRollup2)
| eval parent_proc=coalesce(ParentImage, parent_process_name, TargetFileName)
| eval child_proc=coalesce(Image, process_name, FileName)
| eval cmdline=coalesce(CommandLine, process, cmdLine)
| where (match(parent_proc, "(?i)node(\.exe)?$") AND (
    match(child_proc, "(?i)(sh|bash|dash|zsh|cmd\.exe|powershell\.exe|pwsh\.exe|python[23]?|wget|curl|ncat|nc|perl|ruby|mshta)") OR
    match(cmdline, "(?i)(whoami|id\b|/etc/passwd|/etc/shadow|base64|chmod\s+[0-9]+|chown\s+root|net\s+user|net\s+localgroup|certutil|bitsadmin|curl\s+-o|wget\s+-O)")))
| eval risk_score=case(
    match(child_proc, "(?i)(powershell|cmd\.exe|bash|sh)") AND match(cmdline, "(?i)(base64|encoded|iex|invoke-expression)"), 90,
    match(child_proc, "(?i)(wget|curl)") AND match(cmdline, "(?i)(-o|-O|--output)"), 85,
    match(cmdline, "(?i)(/etc/passwd|/etc/shadow)"), 95,
    true(), 70)
| table _time, host, parent_proc, child_proc, cmdline, risk_score, user
| sort -risk_score
| eval alert="CVE-2025-68613: n8n Dynamic Code Execution Abuse"
| where risk_score >= 70

sequence by host.id with maxspan=2m
  [process where event.type == "start"
   and (process.name like~ "node" or process.name like~ "node.exe")
   and process.command_line like~ "*n8n*"
  ] by process.entity_id
  [process where event.type == "start"
   and process.parent.name like~ "node"
   and (
     process.name in~ ("sh", "bash", "dash", "zsh", "cmd.exe", "powershell.exe", "pwsh.exe",
                       "wget", "curl", "python", "python3", "perl", "ruby", "nc", "ncat")
     or process.command_line like~ "*whoami*"
     or process.command_line like~ "*/etc/passwd*"
     or process.command_line like~ "*base64*"
     or process.command_line like~ "*chmod +x*"
     or process.command_line like~ "*net user*"
   )
  ] by process.parent.entity_id

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process,
  "Command" AS command_line,
  logsourcename(logsourceid) AS log_source,
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'SysMon')
  AND (
    ("Parent Process Name" ILIKE '%node%' OR "Parent Process Name" ILIKE '%n8n%')
    AND (
      "Process Name" ILIKE '%bash%' OR "Process Name" ILIKE '%sh%'
      OR "Process Name" ILIKE '%cmd.exe%' OR "Process Name" ILIKE '%powershell%'
      OR "Process Name" ILIKE '%wget%' OR "Process Name" ILIKE '%curl%'
      OR "Process Name" ILIKE '%python%' OR "Process Name" ILIKE '%perl%'
      OR "Command" ILIKE '%whoami%' OR "Command" ILIKE '%/etc/passwd%'
      OR "Command" ILIKE '%base64%' OR "Command" ILIKE '%chmod%'
      OR "Command" ILIKE '%net user%' OR "Command" ILIKE '%certutil%'
    )
  )
  AND LOGSOURCE_LAST(600000)
LAST 3600 SECONDS

_sourceCategory=*/sysmon OR _sourceCategory=*/linux/audit OR _sourceCategory=endpoint/process
| json auto
| where (%"ParentImage" matches "*node*" OR %"parent_process_name" matches "*node*")
| where (%"Image" matches "*bash*" OR %"Image" matches "*sh" OR %"Image" matches "*cmd.exe*"
    OR %"Image" matches "*powershell*" OR %"Image" matches "*wget*" OR %"Image" matches "*curl*"
    OR %"Image" matches "*python*" OR %"Image" matches "*perl*" OR %"Image" matches "*nc*"
    OR %"CommandLine" matches "*whoami*" OR %"CommandLine" matches "*/etc/passwd*"
    OR %"CommandLine" matches "*base64*" OR %"CommandLine" matches "*chmod +x*"
    OR %"CommandLine" matches "*net user*" OR %"CommandLine" matches "*certutil*")
| eval risk = if(%"CommandLine" matches "*/etc/passwd*" OR %"CommandLine" matches "*/etc/shadow*", "CRITICAL",
    if(%"CommandLine" matches "*base64*" OR %"CommandLine" matches "*powershell*", "HIGH", "MEDIUM"))
| count by _sourceHost, %"ParentImage", %"Image", %"CommandLine", %"User", risk
| sort by risk, _count desc
| fields _sourceHost, %"ParentImage", %"Image", %"CommandLine", %"User", risk, _count

rule cve_2025_68613_n8n_code_execution {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2025-68613 exploitation via n8n dynamic code resource abuse"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"
    cve = "CVE-2025-68613"

  events:
    $parent.metadata.event_type = "PROCESS_LAUNCH"
    $parent.principal.process.file.full_path = /(?i).*node(\.exe)?$/
    $parent.principal.process.command_line = /(?i).*n8n.*/

    $child.metadata.event_type = "PROCESS_LAUNCH"
    $child.principal.process.parent_process.file.full_path = /(?i).*node(\.exe)?$/
    (
      $child.principal.process.file.full_path = /(?i).*(bash|sh|cmd\.exe|powershell|pwsh|wget|curl|python[23]?|perl|ruby|ncat|nc)$/
      or $child.principal.process.command_line = /(?i).*(whoami|id\b|\/etc\/passwd|\/etc\/shadow|base64|chmod\s+\+x|net\s+user|certutil|bitsadmin).*/
    )

    $parent.principal.hostname = $child.principal.hostname

  match:
    $child.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($child.principal.process.command_line = /(?i).*\/etc\/shadow.*/, 95,
      if($child.principal.process.command_line = /(?i).*(base64|certutil|bitsadmin).*/, 85,
      if($child.principal.process.file.full_path = /(?i).*(powershell|cmd\.exe).*/, 80, 70)))
    )
    $hostname = $child.principal.hostname
    $username = $child.principal.user.userid
    $child_process = $child.principal.process.file.full_path
    $cmdline = $child.principal.process.command_line

  condition:
    $parent and $child
}

#event_simpleName=ProcessRollup2
| ParentBaseFileName=/node(\.exe)?$/i
| (
    ImageFileName=/\/(bash|sh|dash|zsh|wget|curl|python[23]?|perl|ruby|nc|ncat)$/i
    OR ImageFileName=/(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe)$/i
    OR CommandLine=/(whoami|id\b|\/etc\/passwd|\/etc\/shadow|base64|chmod\s\+x|net\s+user|certutil|bitsadmin)/i
  )
| eval risk_score=case(
    CommandLine=~/\/etc\/shadow/i, "95",
    CommandLine=~/base64|certutil|bitsadmin/i, "85",
    ImageFileName=~/powershell|cmd\.exe/i, "80",
    true(), "70")
| groupby([ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, risk_score])
| sort(risk_score, order=desc)
| rename(field=ComputerName, as="Hostname")
| rename(field=UserName, as="User")
| rename(field=ParentBaseFileName, as="ParentProcess")
| rename(field=ImageFileName, as="ChildProcess")
| rename(field=CommandLine, as="CommandLine")
| head(100)