1. Home
  2. ATT&CK Techniques
  3. T1218.015 Electron Applications

T1218.015 Electron Applications Mappings

Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)

Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of teams.exe and chrome.exe may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe).(Citation: Electron 6-8)

Adversaries may also execute malicious content by planting malicious JavaScript within Electron applications.(Citation: Electron Security)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1218.015 Electron Applications
CM-06 Configuration Settings mitigates T1218.015 Electron Applications
CM-05 Access Restrictions for Change mitigates T1218.015 Electron Applications
SC-18 Mobile Code mitigates T1218.015 Electron Applications
SC-34 Non-modifiable Executable Programs mitigates T1218.015 Electron Applications
SI-16 Memory Protection mitigates T1218.015 Electron Applications
RA-05 Vulnerability Monitoring and Scanning mitigates T1218.015 Electron Applications
CM-08 System Component Inventory mitigates T1218.015 Electron Applications
SI-10 Information Input Validation mitigates T1218.015 Electron Applications
SI-15 Information Output Filtering mitigates T1218.015 Electron Applications
SI-03 Malicious Code Protection mitigates T1218.015 Electron Applications
SI-07 Software, Firmware, and Information Integrity mitigates T1218.015 Electron Applications
CM-02 Baseline Configuration mitigates T1218.015 Electron Applications
CM-07 Least Functionality mitigates T1218.015 Electron Applications
SI-04 System Monitoring mitigates T1218.015 Electron Applications
AC-02 Account Management mitigates T1218.015 Electron Applications
AC-06 Least Privilege mitigates T1218.015 Electron Applications
SC-07 Boundary Protection mitigates T1218.015 Electron Applications

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.015 Electron Applications

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1218.015 Electron Applications
Comments
Google Security Ops is able to trigger an alert based on suspicious behavior in Windows with the use of regsvr32.exe and a possible fileless attack via this executable. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']