Detect Electron Applications in Sumo Logic CSE
Adversaries may abuse components of the Electron framework to execute malicious code. Electron is a cross-platform desktop application development framework using JavaScript, HTML, and CSS that embeds a Chromium browser engine and Node.js runtime. Common Electron apps include Signal, Slack, Microsoft Teams, VS Code, and Discord. Adversaries can abuse these applications by passing malicious JavaScript via command-line flags (--inspect, --inspect-brk, --remote-debugging-port) to enable DevTools remote debugging and execute arbitrary JavaScript with Node.js privileges. Lumma Stealer is a notable malware using this technique. This grants full system access including filesystem operations, child process spawning, and network communication.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.015 Electron Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1218/015/
Sumo Detection Query
_sourceCategory=windows/sysmon EventCode=1
| parse regex "(?i)<Image>(?<Image>[^<]+)</Image>"
| parse regex "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>"
| parse regex "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>"
| parse regex "(?i)<ParentCommandLine>(?<ParentCommandLine>[^<]+)</ParentCommandLine>"
| parse regex "(?i)<User>(?<User>[^<]+)</User>"
| where CommandLine matches "*--inspect*"
or CommandLine matches "*--inspect-brk*"
or CommandLine matches "*--remote-debugging-port=*"
or CommandLine matches "*--js-flags=*"
or CommandLine matches "*--remote-allow-origins=*"
| where Image matches "*slack.exe*"
or Image matches "*teams.exe*"
or Image matches "*discord.exe*"
or Image matches "*code.exe*"
or Image matches "*signal-desktop.exe*"
or Image matches "*notion.exe*"
or Image matches "*obsidian.exe*"
or Image matches "*figma.exe*"
or Image matches "*1password.exe*"
or ParentImage matches "*cmd.exe*"
or ParentImage matches "*powershell.exe*"
or ParentImage matches "*wscript.exe*"
or ParentImage matches "*cscript.exe*"
or ParentImage matches "*mshta.exe*"
| eval ElectronApp = if(Image matches "*slack.exe*" or Image matches "*teams.exe*" or Image matches "*discord.exe*" or Image matches "*code.exe*" or Image matches "*signal-desktop.exe*" or Image matches "*notion.exe*" or Image matches "*obsidian.exe*" or Image matches "*figma.exe*" or Image matches "*1password.exe*", 1, 0)
| eval DebugPort = if(CommandLine matches "*--inspect*" or CommandLine matches "*--remote-debugging-port*", 1, 0)
| eval JSFlags = if(CommandLine matches "*--js-flags*", 1, 0)
| eval AllowOrigins = if(CommandLine matches "*--remote-allow-origins*", 1, 0)
| eval SuspiciousParent = if(ParentImage matches "*cmd.exe*" or ParentImage matches "*powershell.exe*" or ParentImage matches "*wscript.exe*" or ParentImage matches "*cscript.exe*" or ParentImage matches "*mshta.exe*", 1, 0)
| eval RiskScore = (ElectronApp * DebugPort) + JSFlags + (AllowOrigins * SuspiciousParent)
| where RiskScore > 0
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, ParentCommandLine, ElectronApp, DebugPort, JSFlags, AllowOrigins, SuspiciousParent, RiskScore
| sort by _messageTime descSumo Logic detection for T1218.015 — Electron Application abuse via debug instrumentation flags. Ingests Sysmon EventCode 1 (Process Create) events from the windows/sysmon source category and parses Image, CommandLine, ParentImage fields from the raw XML payload. Applies the same risk scoring model as the baseline SPL — ElectronApp*DebugPort scores high-confidence abuse, JSFlags alone is suspicious, and AllowOrigins paired with a script-interpreter parent indicates likely lateral abuse. Results sorted by risk score descending.
Data Sources
Required Tables
False Positives & Tuning
- Electron-based IDE tooling such as VS Code launching renderer subprocesses with --inspect-brk during Node.js extension host debugging activated from within the editor itself
- Automated QA suites running Spectron or electron-chromedriver tests that pass --remote-debugging-port to Electron apps as part of nightly regression test execution via scheduled shell scripts
- IT operations runbooks that use cmd.exe to silently restart Slack or Teams after SSO token refresh, passing harmless --js-flags arguments inherited from GPO-managed shortcut configurations
Other platforms for T1218.015
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Electron App Launched with Debug Port Flag
Expected signal: Sysmon Event ID 1: code.exe with --inspect=9229 and --remote-allow-origins=* in command line. Sysmon Event ID 3: Network listen on port 9229 (127.0.0.1:9229).
- Test 2Electron App Launched from cmd.exe with Debug Flag
Expected signal: Sysmon Event ID 1: cmd.exe then code.exe with --remote-debugging-port in command line, ParentImage=cmd.exe. Both DebugPort and SuspiciousParent indicators fire.
- Test 3Malicious Electron App Shortcut with Debug Flags
Expected signal: Sysmon Event ID 1: powershell.exe. Sysmon Event ID 11: Slack.lnk file created in Temp. The shortcut content contains debug flags — detection via shortcut file analysis or when the shortcut is eventually opened.
References (5)
- https://attack.mitre.org/techniques/T1218/015/
- https://www.electronjs.org/docs/latest/tutorial/security
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.015/T1218.015.md
- https://www.qualys.com/2024/10/01/lumma-stealer-analysis/
- https://www.netskope.com/blog/lumma-stealer-analysis
Unlock Pro Content
Get the full detection package for T1218.015 including response playbook, investigation guide, and atomic red team tests.