Windows Suspicious Child Process from Node.js - React2Shell

    Friday, January 2, 2026 In: Threat Research Print

    Date: 01/02/2026

    Severity: High

    Summary

    Identifies suspicious child processes launched by Node.js server processes on Windows, which may signal exploitation of vulnerabilities such as CVE-2025-55182 (React2Shell). Adversaries may leverage the Node.js child_process module to execute system commands or scripts using functions like spawn(), exec(), execFile(), fork(), or execSync(). When exec() or execSync() is used, the command line typically reveals a shell invocation (for example, cmd.exe /d /s /c ...) executing a suspicious command, unless a different shell is explicitly specified. With other methods, the spawned process is shown directly in the Image field unless execution occurs through an explicitly invoked shell.

    Indicators of Compromise (IOC) List

    Image :

    - '\bash.exe'

    - '\bitsadmin.exe'

    - '\certutil.exe'

    - '\cscript.exe'

    - '\curl.exe'

    - '\ipconfig.exe'

    - '\mshta.exe'

    - '\net.exe'

    - '\net1.exe'

    - '\netsh.exe'

    - '\nslookup.exe'

    - '\OpenConsole.exe'

    - '\perl.exe'

    - '\ping.exe'

    - '\powershell.exe'

    - '\pwsh.exe'

    - '\py.exe'

    - '\python.exe'

    - '\pythonw.exe'

    - '\pyw.exe'

    - '\reg.exe'

    - '\regsvr32.exe'

    - '\rundll32.exe'

    - '\sc.exe'

    - '\sh.exe'

    - '\systeminfo.exe'

    - '\wget.exe'

    - '\whoami.exe'

    - '\wmic.exe'

    - '\wscript.exe'

    - '\wt.exe'

    '\cmd.exe'

    ParentImage :

    '\node.exe'

    Commandline : 

    - '\net'

    - 'bitsadmin'

    - 'certutil '

    - 'conhost --headless'

    - 'cscript '

    - 'curl'

    - 'ipconfig'

    - 'java'

    - 'lua'

    - 'mshta'

    - 'netsh'

    - 'nslookup '

    - 'perl'

    - 'ping '

    - 'powershell'

    - 'pwsh'

    - 'python'

    - 'reg '

    - 'reg.exe'

    - 'regsvr32'

    - 'ruby'

    - 'rundll32'

    - 'sc.exe'

    - 'systeminfo'

    - 'wget'

    - 'whoami'

    - 'wmic'

    - 'wscript'

    '/d /s /c '

    'git config --local --get remote.origin.url'

    'netstat -ano | findstr /C:'

    ' | findstr LISTENING'

    - '\mkcert\'

    - ' -install '

    - '\mkcert\'

    - ' -CAROOT'

    ParentCommandLine :

    - '--experimental-https'

    - '--experimental-next-config-strip-types'

    - '\node_modules\next'

    - 'next dev'

    - 'next start'

    - 'next" start'

    - 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion

    - 'react-scripts start'

    - 'start-server.js'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" AND eventtype = "4688" AND processname IN ("\bash.exe","\bitsadmin.exe","\certutil.exe","\cscript.exe","\curl.exe","\ipconfig.exe","\mshta.exe","\net.exe","\net1.exe","\netsh.exe","\nslookup.exe","\OpenConsole.exe","\perl.exe","\ping.exe","\powershell.exe","\pwsh.exe","\py.exe","\python.exe","\pythonw.exe","\pyw.exe","\reg.exe","\regsvr32.exe","\rundll32.exe","\sc.exe","\sh.exe","\systeminfo.exe","\wget.exe","\whoami.exe","\wmic.exe","\wscript.exe","\wt.exe","\python") and (parentprocessname like "\node.exe") and (parentcommandline IN ("--experimental-https","--experimental-next-config-strip-types","\node_modules\next","next dev","next start","next", "start","node_modules\\.bin\\\\..\\next","react-scripts start","start-server.js"))

    Detection Query 2 :

    resourcename = "Windows Security" AND eventtype = "4688" AND (parentprocessname like "\node.exe") and (parentcommandline IN ("--experimental-https","--experimental-next-config-strip-types","\node_modules\next","next dev","next start","next", "start","node_modules\\.bin\\\\..\\next","react-scripts start","start-server.js")) and processname like "\cmd.exe" and (commandline not like "/d" or commandline not like "/s" or commandline like "/c")

    Detection Query 3 :

    resourcename = "Windows Security" AND eventtype = "4688" AND (parentprocessname like "\node.exe") and (parentcommandline IN ("--experimental-https","--experimental-next-config-strip-types","\node_modules\next","next dev","next start","next", "start","node_modules\\.bin\\\\..\\next","react-scripts start","start-server.js")) and processname like "\cmd.exe" and (commandline not in ("git config --local --get remote.origin.url") and commandline not in ("netstat -ano","findstr /C:","findstr LISTENING") and commandline not in ("\mkcert","-install") and commandline not in ("\mkcert","-CAROOT"))

    Detection Query 4 :

    technologygroup = "EDR" AND processname IN ("\bash.exe","\bitsadmin.exe","\certutil.exe","\cscript.exe","\curl.exe","\ipconfig.exe","\mshta.exe","\net.exe","\net1.exe","\netsh.exe","\nslookup.exe","\OpenConsole.exe","\perl.exe","\ping.exe","\powershell.exe","\pwsh.exe","\py.exe","\python.exe","\pythonw.exe","\pyw.exe","\reg.exe","\regsvr32.exe","\rundll32.exe","\sc.exe","\sh.exe","\systeminfo.exe","\wget.exe","\whoami.exe","\wmic.exe","\wscript.exe","\wt.exe","\python") and (parentprocessname like "\node.exe") and (parentcommandline IN ("--experimental-https","--experimental-next-config-strip-types","\node_modules\next","next dev","next start","next", "start","node_modules\\.bin\\\\..\\next","react-scripts start","start-server.js"))

    Detection Query 5 :

    technologygroup = "EDR" AND eventtype = "4688" AND (parentprocessname like "\node.exe") and (parentcommandline IN ("--experimental-https","--experimental-next-config-strip-types","\node_modules\next","next dev","next start","next", "start","node_modules\\.bin\\\\..\\next","react-scripts start","start-server.js")) and processname like "\cmd.exe" and (commandline not like "/d" or commandline not like "/s" or commandline like "/c")

    Detection Query 6 :

    technologygroup = "EDR" AND eventtype = "4688" AND (parentprocessname like "\node.exe") and (parentcommandline IN ("--experimental-https","--experimental-next-config-strip-types","\node_modules\next","next dev","next start","next", "start","node_modules\\.bin\\\\..\\next","react-scripts start","start-server.js")) and processname like "\cmd.exe" and (commandline not in ("git config --local --get remote.origin.url") and commandline not in ("netstat -ano","findstr /C:","findstr LISTENING") and commandline not in ("\mkcert","-install") and commandline not in ("\mkcert","-CAROOT"))

    Reference:     

     https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml


    Tags

    SigmaVulnerabilityReact2ShellMalwareCVE-2025Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.