T1218.015 IBM QRadar · QRadar

Detect Electron Applications in IBM QRadar

Adversaries may abuse components of the Electron framework to execute malicious code. Electron is a cross-platform desktop application development framework using JavaScript, HTML, and CSS that embeds a Chromium browser engine and Node.js runtime. Common Electron apps include Signal, Slack, Microsoft Teams, VS Code, and Discord. Adversaries can abuse these applications by passing malicious JavaScript via command-line flags (--inspect, --inspect-brk, --remote-debugging-port) to enable DevTools remote debugging and execute arbitrary JavaScript with Node.js privileges. Lumma Stealer is a notable malware using this technique. This grants full system access including filesystem operations, child process spawning, and network communication.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.015 Electron Applications
Canonical reference
https://attack.mitre.org/techniques/T1218/015/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS User,
  devicehostname AS Hostname,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine
FROM events
WHERE LOGSOURCETYPEID IN (12, 383)
  AND QIDNAME(qid) ILIKE '%process create%'
  AND (
    LOWER("CommandLine") ILIKE '%--inspect%'
    OR LOWER("CommandLine") ILIKE '%--inspect-brk%'
    OR LOWER("CommandLine") ILIKE '%--remote-debugging-port=%'
    OR LOWER("CommandLine") ILIKE '%--js-flags=%'
    OR LOWER("CommandLine") ILIKE '%--remote-allow-origins=%'
  )
  AND (
    LOWER("Image") ILIKE '%slack.exe%'
    OR LOWER("Image") ILIKE '%teams.exe%'
    OR LOWER("Image") ILIKE '%discord.exe%'
    OR LOWER("Image") ILIKE '%code.exe%'
    OR LOWER("Image") ILIKE '%signal-desktop.exe%'
    OR LOWER("Image") ILIKE '%notion.exe%'
    OR LOWER("Image") ILIKE '%obsidian.exe%'
    OR LOWER("Image") ILIKE '%figma.exe%'
    OR LOWER("Image") ILIKE '%1password.exe%'
    OR LOWER("ParentImage") ILIKE '%cmd.exe%'
    OR LOWER("ParentImage") ILIKE '%powershell.exe%'
    OR LOWER("ParentImage") ILIKE '%wscript.exe%'
    OR LOWER("ParentImage") ILIKE '%cscript.exe%'
    OR LOWER("ParentImage") ILIKE '%mshta.exe%'
  )
LAST 24 HOURS
high severity medium confidence

IBM QRadar AQL query for T1218.015 — Electron Application abuse. Targets Sysmon EventCode 1 (Process Create) events ingested via Windows Security Event Log DSM (LOGSOURCETYPEID 12) or Microsoft Sysmon DSM (LOGSOURCETYPEID 383). Detects known Electron app binaries launched with Node.js debug instrumentation flags, or such flags appearing in command lines spawned by common Windows script interpreters. Normalized Sysmon fields (Image, CommandLine, ParentImage) are used directly as QRadar custom event properties parsed by the Sysmon DSM.

Data Sources

Microsoft Windows SysmonWindows Security Event Log

Required Tables

events

False Positives & Tuning

  • Developer workstations where CI/CD agents use PowerShell to launch Electron applications with --remote-debugging-port for automated integration testing against local builds
  • Security tooling or SIEM-adjacent agents that programmatically invoke VS Code (code.exe) with --inspect flags to perform extension sandboxing analysis or behavioral profiling
  • Enterprise application packaging workflows where Electron apps are launched with --js-flags by build scripts during installer generation or MSIX packaging validation steps
Download portable Sigma rule (.yml)

Other platforms for T1218.015

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Electron App Launched with Debug Port Flag

    Expected signal: Sysmon Event ID 1: code.exe with --inspect=9229 and --remote-allow-origins=* in command line. Sysmon Event ID 3: Network listen on port 9229 (127.0.0.1:9229).

  2. Test 2Electron App Launched from cmd.exe with Debug Flag

    Expected signal: Sysmon Event ID 1: cmd.exe then code.exe with --remote-debugging-port in command line, ParentImage=cmd.exe. Both DebugPort and SuspiciousParent indicators fire.

  3. Test 3Malicious Electron App Shortcut with Debug Flags

    Expected signal: Sysmon Event ID 1: powershell.exe. Sysmon Event ID 11: Slack.lnk file created in Temp. The shortcut content contains debug flags — detection via shortcut file analysis or when the shortcut is eventually opened.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1218.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMC

Related Techniques

T1218System Binary Proxy ExecutionT1555.003Credentials from Web BrowsersT1059.007JavaScriptT1204.002Malicious FileT1036MasqueradingT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections