T1218.015 CrowdStrike LogScale · LogScale

Detect Electron Applications in CrowdStrike LogScale

Adversaries may abuse components of the Electron framework to execute malicious code. Electron is a cross-platform desktop application development framework using JavaScript, HTML, and CSS that embeds a Chromium browser engine and Node.js runtime. Common Electron apps include Signal, Slack, Microsoft Teams, VS Code, and Discord. Adversaries can abuse these applications by passing malicious JavaScript via command-line flags (--inspect, --inspect-brk, --remote-debugging-port) to enable DevTools remote debugging and execute arbitrary JavaScript with Node.js privileges. Lumma Stealer is a notable malware using this technique. This grants full system access including filesystem operations, child process spawning, and network communication.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.015 Electron Applications
Canonical reference
https://attack.mitre.org/techniques/T1218/015/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(slack|teams|discord|code|signal-desktop|notion|obsidian|figma|1password)\.exe$/
  OR CommandLine = /(?i)--(inspect|inspect-brk|remote-debugging-port|js-flags|remote-allow-origins)[= ]/
| CommandLine = /(?i)--(inspect|inspect-brk|remote-debugging-port|js-flags|remote-allow-origins)[= ]/
| ElectronApp := if(FileName = /(?i)^(slack|teams|discord|code|signal-desktop|notion|obsidian|figma|1password)\.exe$/, "true", "false")
| DebugPort := if(CommandLine = /(?i)--(inspect|inspect-brk|remote-debugging-port)/, "true", "false")
| JSFlags := if(CommandLine = /(?i)--js-flags/, "true", "false")
| AllowOrigins := if(CommandLine = /(?i)--remote-allow-origins/, "true", "false")
| SuspiciousParent := if(ParentBaseFileName = /(?i)^(cmd|powershell|wscript|cscript|mshta)\.exe$/, "true", "false")
| DebugPort = "true" OR JSFlags = "true" OR (AllowOrigins = "true" AND SuspiciousParent = "true")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ElectronApp, DebugPort, JSFlags, AllowOrigins, SuspiciousParent])
| sort(field=timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (CQL) detection for T1218.015 — Electron Application abuse. Uses ProcessRollup2 events from the Falcon sensor to identify Electron debug flag abuse. First broadens to all processes with Electron debug flags, then applies the same boolean risk logic as the baseline SPL: DebugPort flag alone, JSFlags alone, or AllowOrigins paired with a suspicious script-interpreter parent all trigger the alert. Uses Falcon-native fields: FileName, CommandLine, ParentBaseFileName, ComputerName, UserName.

Data Sources

CrowdStrike Falcon Endpoint Agent

Required Tables

ProcessRollup2

False Positives & Tuning

  • Developer workstations enrolled in Falcon where VS Code or other Electron IDEs are actively used with Node.js debugging enabled — ProcessRollup2 will capture --inspect flags from legitimate debug sessions
  • Automated Electron app testing frameworks (Spectron, electron-chromedriver) executed from CI runner agents on Falcon-protected build servers, passing --remote-debugging-port as a standard test harness argument
  • Corporate IT scripts deploying or restarting Slack, Teams, or Discord with PowerShell using --js-flags arguments derived from GPO-managed application startup configurations
Download portable Sigma rule (.yml)

Other platforms for T1218.015

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Electron App Launched with Debug Port Flag

    Expected signal: Sysmon Event ID 1: code.exe with --inspect=9229 and --remote-allow-origins=* in command line. Sysmon Event ID 3: Network listen on port 9229 (127.0.0.1:9229).

  2. Test 2Electron App Launched from cmd.exe with Debug Flag

    Expected signal: Sysmon Event ID 1: cmd.exe then code.exe with --remote-debugging-port in command line, ParentImage=cmd.exe. Both DebugPort and SuspiciousParent indicators fire.

  3. Test 3Malicious Electron App Shortcut with Debug Flags

    Expected signal: Sysmon Event ID 1: powershell.exe. Sysmon Event ID 11: Slack.lnk file created in Temp. The shortcut content contains debug flags — detection via shortcut file analysis or when the shortcut is eventually opened.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1218.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMC

Related Techniques

T1218System Binary Proxy ExecutionT1555.003Credentials from Web BrowsersT1059.007JavaScriptT1204.002Malicious FileT1036MasqueradingT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections