Detect Electron Applications in Splunk
Adversaries may abuse components of the Electron framework to execute malicious code. Electron is a cross-platform desktop application development framework using JavaScript, HTML, and CSS that embeds a Chromium browser engine and Node.js runtime. Common Electron apps include Signal, Slack, Microsoft Teams, VS Code, and Discord. Adversaries can abuse these applications by passing malicious JavaScript via command-line flags (--inspect, --inspect-brk, --remote-debugging-port) to enable DevTools remote debugging and execute arbitrary JavaScript with Node.js privileges. Lumma Stealer is a notable malware using this technique. This grants full system access including filesystem operations, child process spawning, and network communication.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.015 Electron Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1218/015/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ElectronApp=if(match(Image, "(slack|teams|discord|code|signal-desktop|notion|obsidian|figma|1password)\.exe"), 1, 0)
| eval DebugPort=if(match(CommandLine, "(--inspect|--inspect-brk|--remote-debugging-port)"), 1, 0)
| eval JSFlags=if(match(CommandLine, "--js-flags"), 1, 0)
| eval AllowOrigins=if(match(CommandLine, "--remote-allow-origins"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta)\.exe"), 1, 0)
| eval RiskScore=(ElectronApp * DebugPort) + JSFlags + (AllowOrigins * SuspiciousParent)
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ElectronApp, DebugPort, JSFlags, AllowOrigins, SuspiciousParent, RiskScore
| sort - _timeDetects Electron application abuse using Sysmon Event ID 1. Focuses on debug-mode flags being applied to known Electron applications or any process. The combination of a known Electron app with debug port flags is the primary high-confidence indicator.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Developers using Electron debugging features during application development
- IT administrators using debug flags for troubleshooting
- Automated testing frameworks using debug ports for headless testing
- VS Code extension developers using --inspect for debugging
Other platforms for T1218.015
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Electron App Launched with Debug Port Flag
Expected signal: Sysmon Event ID 1: code.exe with --inspect=9229 and --remote-allow-origins=* in command line. Sysmon Event ID 3: Network listen on port 9229 (127.0.0.1:9229).
- Test 2Electron App Launched from cmd.exe with Debug Flag
Expected signal: Sysmon Event ID 1: cmd.exe then code.exe with --remote-debugging-port in command line, ParentImage=cmd.exe. Both DebugPort and SuspiciousParent indicators fire.
- Test 3Malicious Electron App Shortcut with Debug Flags
Expected signal: Sysmon Event ID 1: powershell.exe. Sysmon Event ID 11: Slack.lnk file created in Temp. The shortcut content contains debug flags — detection via shortcut file analysis or when the shortcut is eventually opened.
References (5)
- https://attack.mitre.org/techniques/T1218/015/
- https://www.electronjs.org/docs/latest/tutorial/security
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.015/T1218.015.md
- https://www.qualys.com/2024/10/01/lumma-stealer-analysis/
- https://www.netskope.com/blog/lumma-stealer-analysis
Unlock Pro Content
Get the full detection package for T1218.015 including response playbook, investigation guide, and atomic red team tests.