Unsigned .node File Loaded

Rule Info

Name
Unsigned .node File Loaded
Author
Jonathan Beierle (@hullabrian)
Description
Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
Reference
https://www.coreycburton.com/blog/driploader-case-study
Date
2025-11-22 00:00:00
Modified
None
Id
e5f5c693-52d7-4de5-88ae-afbfbce85595
Tags
attack.execution attack.privilege-escalation attack.persistence attack.defense-evasion attack.t1129 attack.t1574.001 attack.t1036.005
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e5f5c693-52d7-4de5-88ae-afbfbce85595

Rule History

Author
Title
Date
Commit
Jonathan Beierle
Merge PR #5762 from @HullaBrian - Unsigned .node File Load
2025-11-25
23a375bfa
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022