Recently, we discussed various methods of persistence on corporate devices and a colleague of mine mentioned a tool he had written. We weren't certain if we could use this to our advantage, but we explored the possibility of exploiting Electron applications further.
All the methods proposed in this blog post (DLL Hijacking, Remote Debugging Protocol, Beemka) are not new and have already been extensively documented elsewhere. But as it took me a long time to recompile a current list of possible methods, i wanted to provide one reference point for Electron post-exploitation for persistence.
In the past few years, JavaScript usage has increased tremendously in the browser realm, largely thanks to frameworks like React, Vue, and Angular, and has also gone beyond the browser with Node.js, Deno, and React Native.
Electron.js is one of these frameworks. Since its release in 2013, Electron has grown to become the most popular framework for building cross-platform desktop apps. VS Code, Slack, Twitch, and many other popular desktop applications are built with Electron.