1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution
  5. Electron Applications

System Binary Proxy Execution: Electron Applications

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.[1] Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.[2] The Chromium engine is used to display web content and Node.js runs the backend code.[3]

Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.[3] For example, the abuse of teams.exe and chrome.exe may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe).[4]

Adversaries may also execute malicious content by planting malicious JavaScript within Electron applications.[5]

ID: T1218.015
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Debabrata Sharma
Version: 1.0
Created: 07 March 2024
Last Modified: 15 April 2024
Version Permalink

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software and features to prevent abuse by adversaries. Many native binaries may not be necessary within a given environment: for example, consider disabling the Node.js integration in all renderers that display remote content to protect users by limiting adversaries’ power to plant malicious JavaScript within Electron applications.[6]
M1038 Execution Prevention

Where possible, enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. For example, do not use shell.openExternal with untrusted content.

Where possible, set nodeIntegration to false, which disables access to the Node.js function.[7] By disabling access to the Node.js function, this may limit the ability to execute malicious commands by injecting JavaScript code.

Do not disable webSecurity, which may allow for users of the application to invoke malicious content from online sources.
M1050 Exploit Protection

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using trusted binaries to bypass application control. Ensure that Electron is updated to the latest version and critical vulnerabilities (such as nodeIntegration bypasses) are patched and cannot be exploited.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may abuse Electron apps to execute malicious content. For example, analyze commands invoking teams.exe or chrome.exe to execute malicious or abnormal content.
DS0009 Process Process Creation

Monitor processes and command-line parameters for binaries associated with Electron apps that may be used to proxy execution of malicious content. Compare recent invocations of these binaries with prior history of known good arguments to determine anomalous and potentially adversarial activity.

Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

References

  1. Trend Micro. (2023, June 6). Abusing Electronbased applications in targeted attacks. Retrieved March 7, 2024.
  2. Alanna Titterington. (2023, September 14). Security of Electron-based desktop applications. Retrieved March 7, 2024.
  3. TOM ABAI. (2023, August 10). There’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected. Retrieved March 7, 2024.
  4. Kosayev, U. (2023, June 15). One Electron to Rule Them All. Retrieved March 7, 2024.
  1. ElectronJS.org. (n.d.). Retrieved March 7, 2024.
  2. Stack Overflow. (n.d.). Why do I see an "Electron Security Warning" after updating my Electron project to the latest version?. Retrieved March 7, 2024.
  3. CertiK. (2020, June 30). Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run. Retrieved March 7, 2024.