T1218.015 Electron Applications Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ElectronApps = dynamic(["slack.exe", "teams.exe", "discord.exe", "code.exe", "signal-desktop.exe", "notion.exe", "obsidian.exe", "figma.exe", "1password.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ElectronApps) or ProcessCommandLine has_any ("--inspect", "--inspect-brk", "--remote-debugging-port", "--remote-allow-origins", "--js-flags")
| extend DebugPort = ProcessCommandLine has_any ("--inspect", "--inspect-brk", "--remote-debugging-port")
| extend RemoteDebugging = ProcessCommandLine matches regex @"--remote-debugging-port=\d+"
| extend JSFlags = ProcessCommandLine has "--js-flags"
| extend AllowOrigins = ProcessCommandLine has "--remote-allow-origins"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where DebugPort or RemoteDebugging or JSFlags or (AllowOrigins and SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, DebugPort, RemoteDebugging, JSFlags, SuspiciousParent
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Network: Network Connection Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Developers using Electron debugging features (--inspect, --remote-debugging-port) during application development and testing
IT administrators using Electron debug flags for troubleshooting application issues
Automated testing frameworks (Spectron, Playwright for Electron) that use debug ports for headless testing
VS Code extension developers using the --inspect flag for extension debugging

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ElectronApp=if(match(Image, "(slack|teams|discord|code|signal-desktop|notion|obsidian|figma|1password)\.exe"), 1, 0)
| eval DebugPort=if(match(CommandLine, "(--inspect|--inspect-brk|--remote-debugging-port)"), 1, 0)
| eval JSFlags=if(match(CommandLine, "--js-flags"), 1, 0)
| eval AllowOrigins=if(match(CommandLine, "--remote-allow-origins"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta)\.exe"), 1, 0)
| eval RiskScore=(ElectronApp * DebugPort) + JSFlags + (AllowOrigins * SuspiciousParent)
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ElectronApp, DebugPort, JSFlags, AllowOrigins, SuspiciousParent, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers using Electron debugging features during application development
IT administrators using debug flags for troubleshooting
Automated testing frameworks using debug ports for headless testing
VS Code extension developers using --inspect for debugging

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    process.name in~ ("slack.exe", "teams.exe", "discord.exe", "code.exe", "signal-desktop.exe", "notion.exe", "obsidian.exe", "figma.exe", "1password.exe")
    and process.args : ("--inspect*", "--inspect-brk*", "--remote-debugging-port*", "--remote-allow-origins*", "--js-flags*")
  )
  or
  (
    process.args : ("--inspect*", "--inspect-brk*", "--remote-debugging-port*", "--js-flags*")
    and process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )
  or
  (
    process.args : "--remote-allow-origins*"
    and process.name in~ ("slack.exe", "teams.exe", "discord.exe", "code.exe", "signal-desktop.exe", "notion.exe", "obsidian.exe", "figma.exe", "1password.exe")
    and process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Process Telemetry

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate developer debugging sessions where VS Code's built-in Node.js debugger spawns child Electron renderer processes with --inspect or --inspect-brk flags during extension development
Automated UI testing pipelines (Spectron, Playwright, Electron-Mocha) that attach to Electron apps via --remote-debugging-port for headless end-to-end test execution in CI environments
IT helpdesk or MDM management scripts using PowerShell to restart Slack or Teams with custom startup arguments that include --js-flags for V8 heap size tuning in memory-constrained environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS User,
  devicehostname AS Hostname,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine
FROM events
WHERE LOGSOURCETYPEID IN (12, 383)
  AND QIDNAME(qid) ILIKE '%process create%'
  AND (
    LOWER("CommandLine") ILIKE '%--inspect%'
    OR LOWER("CommandLine") ILIKE '%--inspect-brk%'
    OR LOWER("CommandLine") ILIKE '%--remote-debugging-port=%'
    OR LOWER("CommandLine") ILIKE '%--js-flags=%'
    OR LOWER("CommandLine") ILIKE '%--remote-allow-origins=%'
  )
  AND (
    LOWER("Image") ILIKE '%slack.exe%'
    OR LOWER("Image") ILIKE '%teams.exe%'
    OR LOWER("Image") ILIKE '%discord.exe%'
    OR LOWER("Image") ILIKE '%code.exe%'
    OR LOWER("Image") ILIKE '%signal-desktop.exe%'
    OR LOWER("Image") ILIKE '%notion.exe%'
    OR LOWER("Image") ILIKE '%obsidian.exe%'
    OR LOWER("Image") ILIKE '%figma.exe%'
    OR LOWER("Image") ILIKE '%1password.exe%'
    OR LOWER("ParentImage") ILIKE '%cmd.exe%'
    OR LOWER("ParentImage") ILIKE '%powershell.exe%'
    OR LOWER("ParentImage") ILIKE '%wscript.exe%'
    OR LOWER("ParentImage") ILIKE '%cscript.exe%'
    OR LOWER("ParentImage") ILIKE '%mshta.exe%'
  )
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Sysmon Windows Security Event Log

Required Tables

events

False Positives

Developer workstations where CI/CD agents use PowerShell to launch Electron applications with --remote-debugging-port for automated integration testing against local builds
Security tooling or SIEM-adjacent agents that programmatically invoke VS Code (code.exe) with --inspect flags to perform extension sandboxing analysis or behavioral profiling
Enterprise application packaging workflows where Electron apps are launched with --js-flags by build scripts during installer generation or MSIX packaging validation steps

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| parse regex "(?i)<Image>(?<Image>[^<]+)</Image>"
| parse regex "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>"
| parse regex "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>"
| parse regex "(?i)<ParentCommandLine>(?<ParentCommandLine>[^<]+)</ParentCommandLine>"
| parse regex "(?i)<User>(?<User>[^<]+)</User>"
| where CommandLine matches "*--inspect*"
  or CommandLine matches "*--inspect-brk*"
  or CommandLine matches "*--remote-debugging-port=*"
  or CommandLine matches "*--js-flags=*"
  or CommandLine matches "*--remote-allow-origins=*"
| where Image matches "*slack.exe*"
  or Image matches "*teams.exe*"
  or Image matches "*discord.exe*"
  or Image matches "*code.exe*"
  or Image matches "*signal-desktop.exe*"
  or Image matches "*notion.exe*"
  or Image matches "*obsidian.exe*"
  or Image matches "*figma.exe*"
  or Image matches "*1password.exe*"
  or ParentImage matches "*cmd.exe*"
  or ParentImage matches "*powershell.exe*"
  or ParentImage matches "*wscript.exe*"
  or ParentImage matches "*cscript.exe*"
  or ParentImage matches "*mshta.exe*"
| eval ElectronApp = if(Image matches "*slack.exe*" or Image matches "*teams.exe*" or Image matches "*discord.exe*" or Image matches "*code.exe*" or Image matches "*signal-desktop.exe*" or Image matches "*notion.exe*" or Image matches "*obsidian.exe*" or Image matches "*figma.exe*" or Image matches "*1password.exe*", 1, 0)
| eval DebugPort = if(CommandLine matches "*--inspect*" or CommandLine matches "*--remote-debugging-port*", 1, 0)
| eval JSFlags = if(CommandLine matches "*--js-flags*", 1, 0)
| eval AllowOrigins = if(CommandLine matches "*--remote-allow-origins*", 1, 0)
| eval SuspiciousParent = if(ParentImage matches "*cmd.exe*" or ParentImage matches "*powershell.exe*" or ParentImage matches "*wscript.exe*" or ParentImage matches "*cscript.exe*" or ParentImage matches "*mshta.exe*", 1, 0)
| eval RiskScore = (ElectronApp * DebugPort) + JSFlags + (AllowOrigins * SuspiciousParent)
| where RiskScore > 0
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, ParentCommandLine, ElectronApp, DebugPort, JSFlags, AllowOrigins, SuspiciousParent, RiskScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows/sysmon

False Positives

Electron-based IDE tooling such as VS Code launching renderer subprocesses with --inspect-brk during Node.js extension host debugging activated from within the editor itself
Automated QA suites running Spectron or electron-chromedriver tests that pass --remote-debugging-port to Electron apps as part of nightly regression test execution via scheduled shell scripts
IT operations runbooks that use cmd.exe to silently restart Slack or Teams after SSO token refresh, passing harmless --js-flags arguments inherited from GPO-managed shortcut configurations

Google Chronicle / SecOps

yaral

rule electron_debug_flag_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects abuse of Electron application debug and Node.js instrumentation flags for arbitrary code execution. Targets PROCESS_LAUNCH events where known Electron binaries or processes spawned by script interpreters carry --inspect, --inspect-brk, --remote-debugging-port, --js-flags, or --remote-allow-origins arguments. Associated with Lumma Stealer and T1218.015."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.015"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1218/015/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.command_line, `(?i)--(inspect|inspect-brk|remote-debugging-port|js-flags|remote-allow-origins)[= ]`)
    (
      re.regex($e.target.process.file.full_path, `(?i)(slack|teams|discord|code|signal-desktop|notion|obsidian|figma|1password)\.exe$`)
      or re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Windows Endpoint Telemetry) EDR Process Events normalized to UDM

Required Tables

UDM Events — PROCESS_LAUNCH

False Positives

VS Code's integrated Node.js debugger spawning Electron renderer or extension host processes with --inspect or --inspect-brk during normal developer debugging workflows on enterprise endpoints
Electron app build toolchains (electron-builder, Forge) that launch compiled Electron binaries with --inspect flags during ASAR packaging validation or post-build smoke testing
Security researchers and red team operators intentionally abusing debug flags in authorized test environments to assess Electron app attack surface — may trigger on penetration testing engagements

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(slack|teams|discord|code|signal-desktop|notion|obsidian|figma|1password)\.exe$/
  OR CommandLine = /(?i)--(inspect|inspect-brk|remote-debugging-port|js-flags|remote-allow-origins)[= ]/
| CommandLine = /(?i)--(inspect|inspect-brk|remote-debugging-port|js-flags|remote-allow-origins)[= ]/
| ElectronApp := if(FileName = /(?i)^(slack|teams|discord|code|signal-desktop|notion|obsidian|figma|1password)\.exe$/, "true", "false")
| DebugPort := if(CommandLine = /(?i)--(inspect|inspect-brk|remote-debugging-port)/, "true", "false")
| JSFlags := if(CommandLine = /(?i)--js-flags/, "true", "false")
| AllowOrigins := if(CommandLine = /(?i)--remote-allow-origins/, "true", "false")
| SuspiciousParent := if(ParentBaseFileName = /(?i)^(cmd|powershell|wscript|cscript|mshta)\.exe$/, "true", "false")
| DebugPort = "true" OR JSFlags = "true" OR (AllowOrigins = "true" AND SuspiciousParent = "true")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ElectronApp, DebugPort, JSFlags, AllowOrigins, SuspiciousParent])
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent

Required Tables

ProcessRollup2

False Positives

Developer workstations enrolled in Falcon where VS Code or other Electron IDEs are actively used with Node.js debugging enabled — ProcessRollup2 will capture --inspect flags from legitimate debug sessions
Automated Electron app testing frameworks (Spectron, electron-chromedriver) executed from CI runner agents on Falcon-protected build servers, passing --remote-debugging-port as a standard test harness argument
Corporate IT scripts deploying or restarting Slack, Teams, or Discord with PowerShell using --js-flags arguments derived from GPO-managed application startup configurations

Electron Applications

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections