- Tactics
- stealth
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1218.015
Description
Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)
Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of teams.exe and chrome.exe may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe).(Citation: Electron 6-8)
Adversaries may also execute malicious content by planting malicious JavaScript within Electron applications.(Citation: Electron Security)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the stealth tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1055 — Process Injection
- T1070 — Indicator Removal
- T1078 — Valid Accounts
- T1127 — Trusted Developer Utilities Proxy Execution
- T1134 — Access Token Manipulation
- T1140 — Deobfuscate/Decode Files or Information
- T1197 — BITS Jobs
- T1202 — Indirect Command Execution