T1218.015 Elastic Security · Elastic

Detect Electron Applications in Elastic Security

Adversaries may abuse components of the Electron framework to execute malicious code. Electron is a cross-platform desktop application development framework using JavaScript, HTML, and CSS that embeds a Chromium browser engine and Node.js runtime. Common Electron apps include Signal, Slack, Microsoft Teams, VS Code, and Discord. Adversaries can abuse these applications by passing malicious JavaScript via command-line flags (--inspect, --inspect-brk, --remote-debugging-port) to enable DevTools remote debugging and execute arbitrary JavaScript with Node.js privileges. Lumma Stealer is a notable malware using this technique. This grants full system access including filesystem operations, child process spawning, and network communication.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.015 Electron Applications
Canonical reference
https://attack.mitre.org/techniques/T1218/015/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  (
    process.name in~ ("slack.exe", "teams.exe", "discord.exe", "code.exe", "signal-desktop.exe", "notion.exe", "obsidian.exe", "figma.exe", "1password.exe")
    and process.args : ("--inspect*", "--inspect-brk*", "--remote-debugging-port*", "--remote-allow-origins*", "--js-flags*")
  )
  or
  (
    process.args : ("--inspect*", "--inspect-brk*", "--remote-debugging-port*", "--js-flags*")
    and process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )
  or
  (
    process.args : "--remote-allow-origins*"
    and process.name in~ ("slack.exe", "teams.exe", "discord.exe", "code.exe", "signal-desktop.exe", "notion.exe", "obsidian.exe", "figma.exe", "1password.exe")
    and process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )
)
high severity high confidence

Elastic EQL detection for T1218.015 — Electron Application abuse. Matches process start events where known Electron binaries (Slack, Teams, Discord, VS Code, Signal, Notion, Obsidian, Figma, 1Password) are launched with Node.js/Chromium debug instrumentation flags (--inspect, --inspect-brk, --remote-debugging-port, --js-flags, --remote-allow-origins), or where any process carrying those flags is spawned by a suspicious script interpreter parent (cmd.exe, powershell.exe, wscript.exe, cscript.exe, mshta.exe). Used by Lumma Stealer and similar infostealers to gain full Node.js runtime access with filesystem, process, and network privileges.

Data Sources

Elastic Endpoint SecurityWindows Process Telemetry

Required Tables

logs-endpoint.events.process-*

False Positives & Tuning

  • Legitimate developer debugging sessions where VS Code's built-in Node.js debugger spawns child Electron renderer processes with --inspect or --inspect-brk flags during extension development
  • Automated UI testing pipelines (Spectron, Playwright, Electron-Mocha) that attach to Electron apps via --remote-debugging-port for headless end-to-end test execution in CI environments
  • IT helpdesk or MDM management scripts using PowerShell to restart Slack or Teams with custom startup arguments that include --js-flags for V8 heap size tuning in memory-constrained environments
Download portable Sigma rule (.yml)

Other platforms for T1218.015

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Electron App Launched with Debug Port Flag

    Expected signal: Sysmon Event ID 1: code.exe with --inspect=9229 and --remote-allow-origins=* in command line. Sysmon Event ID 3: Network listen on port 9229 (127.0.0.1:9229).

  2. Test 2Electron App Launched from cmd.exe with Debug Flag

    Expected signal: Sysmon Event ID 1: cmd.exe then code.exe with --remote-debugging-port in command line, ParentImage=cmd.exe. Both DebugPort and SuspiciousParent indicators fire.

  3. Test 3Malicious Electron App Shortcut with Debug Flags

    Expected signal: Sysmon Event ID 1: powershell.exe. Sysmon Event ID 11: Slack.lnk file created in Temp. The shortcut content contains debug flags — detection via shortcut file analysis or when the shortcut is eventually opened.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1218.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMC

Related Techniques

T1218System Binary Proxy ExecutionT1555.003Credentials from Web BrowsersT1059.007JavaScriptT1204.002Malicious FileT1036MasqueradingT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections