1. Home
  2. Detection Strategies
  3. Detecting Electron Application Abuse for Proxy Execution

Detecting Electron Application Abuse for Proxy Execution

Technique Detected:  Electron Applications | T1218.015

ID: DET0025
Domains: Enterprise
Analytics: AN0071, AN0072, AN0073
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0071

Abuse of trusted Electron apps (Teams, Slack, Chrome) to spawn child processes or execute payloads via malicious command-line arguments (e.g., --gpu-launcher) and modified app resources (.asar). Behavior chain: suspicious parent process (Electron app) → unusual command-line args → child process creation → optional DLL/network artifacts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Mutable Elements
Field Description
TimeWindow Correlation window tying app launch, file tampering, child process, and network events (5–10 minutes typical).
UserContext Flag admin/service accounts versus standard users executing Electron apps.
AllowedElectronApps Baseline of Electron-based executables expected in the enterprise.
AllowedChildProcesses Whitelist normal child processes (chrome.exe → crashpad_handler.exe) versus anomalies (powershell.exe).
ElectronAppDomainAllowlist Approved service domains for Teams, Slack, etc. to suppress benign traffic.
AsarIntegrityHash Expected hash/signature of app.asar resources to detect tampering.

AN0072

Abuse of Linux Electron binaries by modifying app.asar or config JS files and spawning unexpected child processes (bash, curl, python).

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve: Electron-based binary spawning shell or script interpreter
File Creation (DC0039) WinEventLog:Sysmon Modification of .asar in /opt or ~/.config directories
Mutable Elements
Field Description
AsarIntegrityCheck Baseline of expected asar package signatures per app.
SuspiciousChildProcesses Flag shells/python spawned from Electron parent.

AN0073

Abuse of macOS Electron apps by modifying app.asar bundles and spawning child processes (osascript, curl, sh) from Electron executables.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Electron app spawning unexpected child process
File Creation (DC0039) macos:osquery CREATE/MODIFY: Modification of app.asar inside .app bundle
Mutable Elements
Field Description
AllowedAppBundlePaths Baseline of legitimate Electron app paths under /Applications.
SignedToUnsignedTransition Alert when signed Electron parent spawns unsigned child.