title: Electron Applications (T1218.015)
id: df00tech-t1218-015
status: experimental
description: "Adversaries may abuse components of the Electron framework to execute malicious code. Electron is a cross-platform desktop application development framework using JavaScript, HTML, and CSS that embeds a Chromium browser engine and Node.js runtime. Common Electron apps include Signal, Slack, Microsoft Teams, VS Code, and Discord. Adversaries can abuse these applications by passing malicious JavaScript via command-line flags (--inspect, --inspect-brk, --remote-debugging-port) to enable DevTools remote debugging and execute arbitrary JavaScript with Node.js privileges. Lumma Stealer is a notable malware using this technique. This grants full system access including filesystem operations, child process spawning, and network communication."
references:
  - https://attack.mitre.org/techniques/T1218/015/
  - https://df00tech.com/detections/T1218.015
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.015
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers using Electron debugging features (--inspect, --remote-debugging-port) during application development and testing"
  - IT administrators using Electron debug flags for troubleshooting application issues
  - "Automated testing frameworks (Spectron, Playwright for Electron) that use debug ports for headless testing"
  - VS Code extension developers using the --inspect flag for extension debugging
level: high