rare false positives might show up from child processes such as cmd or powershell. apply additional filters as needed.

Techniques

Sample rules

Windows Suspicious React or Next.js Child Process

source: splunk
technicques:
- T1190
- T1059.003
- T1059.001

Description

This analytic detects Windows processes such as cmd.exe, PowerShell, and common Windows LOLBINs being spawned by React or Next.js application servers. In the context of CVE-2025-55182 / React2Shell / CVE-2025-66478 for Next.js, successful exploitation can lead to arbitrary JavaScript execution on the server, which in turn is used to invoke Node’s child_process APIs (for example child_process.execSync) to run OS-level commands. This detection focuses on suspicious child processes where a Next/React server process spawns an uncommon process. Such activity might be a strong indicator of exploitation of the aforementioned vulnerability.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
  from datamodel=Endpoint.Processes
  where
    Processes.parent_process_name = "node.exe"
    Processes.parent_process IN (
      "*--experimental-https*",
      "*--experimental-next-config-strip-types*",
      "*\\node_modules\\next*",
      "*next dev*",
      "*next start*",
      "*next\" start*",
      "*node_modules\\.bin\\\\..\\next*",
      "*react-scripts start*",
      "*start-server.js*",
    )
    AND
    (
      Processes.process_name IN (
        "bash.exe",
        "bitsadmin.exe",
        "calc.exe",
        "certutil.exe",
        "cscript.exe",
        "curl.exe",
        "ftp.exe",
        "ipconfig.exe",
        "mshta.exe",
        "netstat.exe",
        "OpenConsole.exe",
        "powershell.exe",
        "pwsh.exe",
        "regsvr32.exe",
        "rundll32.exe",
        "sh.exe",
        "tftp.exe",
        "wget.exe",
        "wmic.exe",
        "wscript.exe",
        "wsl.exe",
        "wt.exe"
      )
      OR
      (
        Processes.process_name = "cmd.exe"
        AND NOT Processes.process = "*/d /s /c *"
      )
      OR
      (
        Processes.process_name = "cmd.exe"
        Processes.process = "*/d /s /c *"
        AND NOT (
          Processes.process = "*git config --local --get remote.origin.url*"
          OR
          (
            Processes.process = "*netstat -ano 
| findstr /C:*"
            Processes.process = "* 
| findstr LISTENING*"
          )
          OR
          (
            Processes.parent_process = "*--experimental-https*"
            Processes.process = "*\\mkcert\\*"
            Processes.process IN ("* -CAROOT*", "* -install *")
          )
        )
      )
    )
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_suspicious_react_or_next_js_child_process_filter`