LoFP / vscode extensions or similar legitimate tools might use unsigned .node files. these should be investigated on a case-by-case basis, and whitelisted if determined to be benign.

Techniques

• t1036
• t1036.005
• t1129
• t1574
• t1574.001

Sample rules

Unsigned .node File Loaded

• source: sigma
• technicques:
  • t1036
  • t1036.005
  • t1129
  • t1574
  • t1574.001

Description

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

Detection logic

condition: all of selection_* and not 1 of filter_optional_*
filter_optional_vscode_jupyter:
  ImageLoaded|contains: .vscode\extensions\ms-toolsai.jupyter-
  ImageLoaded|endswith:
  - \electron.napi.node
  - \node.napi.glibc.node
  Image|endswith: \Code.exe
selection_node_extension:
  ImageLoaded|endswith: .node
selection_status:
- Signed: 'false'
- SignatureStatus: Unavailable