Which SIEM platforms have a CVE-2026-30120 detection rule?

df00tech provides CVE-2026-30120 (Remotion RCE via Code Injection (CVE-2026-30120)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Remotion RCE via Code Injection (CVE-2026-30120) (CVE-2026-30120)?

Detecting Remotion RCE via Code Injection (CVE-2026-30120) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor.

What severity and confidence is the CVE-2026-30120 detection?

The CVE-2026-30120 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-30120?

Common false positives for CVE-2026-30120 include: Legitimate Remotion video rendering pipelines that invoke child processes as part of normal operation; Development environments where developers are testing Remotion rendering locally; CI/CD pipelines that run Remotion rendering as part of automated build and deploy workflows.

CVE-2026-30120 Google Chronicle · YARA-L

Detect Remotion RCE via Code Injection (CVE-2026-30120) in Google Chronicle

Detects exploitation of CVE-2026-30120, a critical remote code execution vulnerability in the Remotion npm package (versions < 4.0.410). The vulnerability stems from improper code injection controls (CWE-94), allowing attackers to execute arbitrary code in environments running vulnerable Remotion versions. A public PoC exists, elevating exploitation risk.

MITRE ATT&CK

Tactic: Execution Persistence Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule cve_2026_30120_remotion_rce {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-30120 Remotion RCE exploitation via code injection"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-30120"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.command_line = /remotion/ nocase or
      $e.target.process.command_line = /@remotion/ nocase
    )
    (
      $e.target.process.command_line = /child_process/ nocase or
      $e.target.process.command_line = /execSync/ nocase or
      $e.target.process.command_line = /spawnSync/ nocase or
      $e.target.process.command_line = /eval\(/ or
      $e.target.process.command_line = /Function\(/
    )

  condition:
    $e
}

critical severity medium confidence

Chronicle YARA-L rule detecting process launch events with Remotion references combined with known JavaScript code injection primitives exploited in CVE-2026-30120.

Data Sources

Google ChronicleGoogle Security OperationsEndpoint telemetry via Chronicle forwarder

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives & Tuning

Remotion cloud rendering jobs that legitimately execute Node.js worker scripts
CI/CD systems using Remotion for automated video generation in build pipelines
Security researchers reproducing the PoC in isolated lab environments

Other platforms for CVE-2026-30120

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Remotion Code Injection via eval()
Expected signal: Process launch event for node with command line containing 'remotion' and 'eval('. Child process event for 'id' command spawned from node. File creation event for /tmp/cve_2026_30120_test.txt.
Test 2Simulate Remotion execSync Child Process Spawn
Expected signal: Process event for node with title 'remotion-renderer'. child_process module load. Execution of 'whoami'. File write to /tmp/remotion_rce_test.txt.
Test 3Simulate Remotion RCE on Windows via spawnSync
Expected signal: DeviceProcessEvents entry for node.exe with 'remotion' and 'spawnSync' in CommandLine. Child process event for cmd.exe spawned from node.exe. File write event for remotion_rce_test.txt in TEMP directory.

Last updated: 2026-06-21 Research depth: standard

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-30120 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0002Execution TA0003Persistence TA0008Lateral Movement

Related Techniques

T1059.007JavaScript T1190Exploit Public-Facing Application T1203Exploitation for Client Execution

Detect Remotion RCE via Code Injection (CVE-2026-30120) in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-30120

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Execution

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-30120

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox