T1218.015 Microsoft Sentinel · KQL

Detect Electron Applications in Microsoft Sentinel

Adversaries may abuse components of the Electron framework to execute malicious code. Electron is a cross-platform desktop application development framework using JavaScript, HTML, and CSS that embeds a Chromium browser engine and Node.js runtime. Common Electron apps include Signal, Slack, Microsoft Teams, VS Code, and Discord. Adversaries can abuse these applications by passing malicious JavaScript via command-line flags (--inspect, --inspect-brk, --remote-debugging-port) to enable DevTools remote debugging and execute arbitrary JavaScript with Node.js privileges. Lumma Stealer is a notable malware using this technique. This grants full system access including filesystem operations, child process spawning, and network communication.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.015 Electron Applications
Canonical reference
https://attack.mitre.org/techniques/T1218/015/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ElectronApps = dynamic(["slack.exe", "teams.exe", "discord.exe", "code.exe", "signal-desktop.exe", "notion.exe", "obsidian.exe", "figma.exe", "1password.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ElectronApps) or ProcessCommandLine has_any ("--inspect", "--inspect-brk", "--remote-debugging-port", "--remote-allow-origins", "--js-flags")
| extend DebugPort = ProcessCommandLine has_any ("--inspect", "--inspect-brk", "--remote-debugging-port")
| extend RemoteDebugging = ProcessCommandLine matches regex @"--remote-debugging-port=\d+"
| extend JSFlags = ProcessCommandLine has "--js-flags"
| extend AllowOrigins = ProcessCommandLine has "--remote-allow-origins"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where DebugPort or RemoteDebugging or JSFlags or (AllowOrigins and SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, DebugPort, RemoteDebugging, JSFlags, SuspiciousParent
| sort by Timestamp desc
high severity high confidence

Detects abuse of Electron applications via debug mode flags (--inspect, --remote-debugging-port) that enable arbitrary JavaScript execution with Node.js privileges. These flags should never appear in production Electron application command lines and indicate either adversarial command-line injection or malicious script abuse.

Data Sources

Process: Process CreationCommand: Command ExecutionNetwork: Network ConnectionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Developers using Electron debugging features (--inspect, --remote-debugging-port) during application development and testing
  • IT administrators using Electron debug flags for troubleshooting application issues
  • Automated testing frameworks (Spectron, Playwright for Electron) that use debug ports for headless testing
  • VS Code extension developers using the --inspect flag for extension debugging
Download portable Sigma rule (.yml)

Other platforms for T1218.015

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Electron App Launched with Debug Port Flag

    Expected signal: Sysmon Event ID 1: code.exe with --inspect=9229 and --remote-allow-origins=* in command line. Sysmon Event ID 3: Network listen on port 9229 (127.0.0.1:9229).

  2. Test 2Electron App Launched from cmd.exe with Debug Flag

    Expected signal: Sysmon Event ID 1: cmd.exe then code.exe with --remote-debugging-port in command line, ParentImage=cmd.exe. Both DebugPort and SuspiciousParent indicators fire.

  3. Test 3Malicious Electron App Shortcut with Debug Flags

    Expected signal: Sysmon Event ID 1: powershell.exe. Sysmon Event ID 11: Slack.lnk file created in Temp. The shortcut content contains debug flags — detection via shortcut file analysis or when the shortcut is eventually opened.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1218.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMC

Related Techniques

T1218System Binary Proxy ExecutionT1555.003Credentials from Web BrowsersT1059.007JavaScriptT1204.002Malicious FileT1036MasqueradingT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections