Rule : Node.js Blockchain C2 Communication
Node C2polinder
Query
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("node.exe", "node")
| where RemoteUrl has_any ("trongrid.io", "aptoslabs.com")About this query
Rule : Node.js Blockchain C2 Communication
Description
Detects Node.js communication with blockchain APIs used for payload delivery.
Detection Logic
- Node network events to blockchain endpoints
MITRE ATT&CK
- T1071 – Application Layer Protocol
- T1102 – Web Service / Blockchain C2
Tags
Command and Control, Blockchain, Node.js
Search Query
References
- TronGrid API
- Aptos Blockchain
Explanation
This query is designed to detect suspicious network activity involving Node.js applications that may be communicating with blockchain APIs for potentially malicious purposes, such as delivering payloads. Here's a simple breakdown:
-
Purpose: The query aims to identify instances where Node.js applications are communicating with specific blockchain-related endpoints, which could indicate command and control (C2) activities.
-
Detection Criteria:
- It looks at network events on devices.
- Specifically, it filters for processes initiated by Node.js (i.e., "node.exe" or "node").
- It further narrows down to communications with URLs related to blockchain services, specifically "trongrid.io" and "aptoslabs.com".
-
Relevance to Security Frameworks:
- The query is associated with MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1102 (Web Service / Blockchain C2), which relate to the use of web services for command and control.
-
Tags: The query is tagged with terms like Command and Control, Blockchain, and Node.js, indicating its focus on detecting C2 activities involving blockchain and Node.js.
-
References: It mentions specific blockchain services (TronGrid API and Aptos Blockchain) as points of interest for this detection.
In summary, this query is used to monitor and flag potential malicious activities involving Node.js applications communicating with certain blockchain services, which could be indicative of cyber threats.
