Processes with command line arguments indicative of Electron-based applications may be attempting to exploit the Protocol Handler Vulnerability (CVE-2018-1000006) through abnormal parent-child process relationships, which could lead to unauthorized code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of the Electron framework vulnerability before it leads to a broader compromise.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ ("code.exe", "skype.exe", "slack.exe", "teams.exe")
| where InitiatingProcessFileName in~ ("iexplore.exe", "runtimebroker.exe", "chrome.exe")
| where ProcessCommandLine has "--gpu-launcher"
| summarize FirstEvent=min(Timestamp), LastEvent=max(Timestamp) by DeviceName, ProcessCommandLine, FileName, InitiatingProcessFileName
id: 2953f075-035c-4803-9ea2-a9b0771ffc3d
name: Electron-CVE-2018-1000006
description: |
The query checks process command lines arguments and parent/child combinations to find machines where there have been.
Attempts to exploit the Protocol Handler Vulnerability of Electron framework CVE-2018-1000006.
Electron is a common framework used by many popular applications (e.g. Skype, Teams, Slack, VSCode) which expose protocol handlers.
Which can trigger a remote code execution vulnerability via a browser vector (e.g. Chrome, Internet Explorer, Edge).
CVE: CVE-2018-1000006.
Read more here:.
Https://electronjs.org/blog/protocol-handler-fix.
Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006.
Https://www.exploit-db.com/exploits/43899.
Https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374.
Tags: #exploit #CVE-2018-1000006 #Electron.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ ("code.exe", "skype.exe", "slack.exe", "teams.exe")
| where InitiatingProcessFileName in~ ("iexplore.exe", "runtimebroker.exe", "chrome.exe")
| where ProcessCommandLine has "--gpu-launcher"
| summarize FirstEvent=min(Timestamp), LastEvent=max(Timestamp) by DeviceName, ProcessCommandLine, FileName, InitiatingProcessFileName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate Electron Application Launch
Description: A user or admin is launching a legitimate Electron-based application (e.g., Visual Studio Code, Slack, or a custom Electron app) with normal command-line arguments.
Filter/Exclusion: process.name: "code" OR process.name: "slack" OR process.name: "your-electron-app-name"
Scenario: Scheduled Job Running Electron App
Description: A scheduled task (e.g., via Task Scheduler or cron) is running a trusted Electron application as part of an automated process (e.g., data sync, report generation).
Filter/Exclusion: process.parent_process: "schtasks.exe" OR process.parent_process: "cron" OR process.parent_process: "task scheduler"
Scenario: Admin Performing Electron-Based Debugging or Profiling
Description: An admin is using a tool like electron-debug or electron-inspector to debug or profile an Electron app during routine maintenance.
Filter/Exclusion: process.name: "electron" AND process.command_line: "debug" OR process.command_line: "inspect"
Scenario: System Update or Patching Tool Using Electron
Description: A system update tool (e.g., Microsoft Update, SCCM, or a custom patching tool built with Electron) is running as part of a patching process.
Filter/Exclusion: process.name: "msu" OR process.name: "sccm" OR process.name: "patching-tool-name"
Scenario: DevOps Pipeline Triggering Electron App for CI/CD
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions, GitLab CI) is executing an Electron-based tool or script as part of a build or test process.
Filter/Exclusion: `process.parent_process