Suspicious Execution with NodeJS

  1[metadata]
  2creation_date = "2025/08/21"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/08/21"
  6
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Identifies suspicious execution patterns using NodeJS interpeter like process path and arguments.
 12"""
 13
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-crowdstrike.fdr*",
 18    "logs-endpoint.events.process-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.forwarded*",
 23    "logs-windows.sysmon_operational-*",
 24    "winlogbeat-*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Suspicious Execution with NodeJS"
 29references = ["https://nodejs.org"]
 30risk_score = 73
 31rule_id = "55f711c1-6b4d-4787-930d-c9317a885adf"
 32severity = "high"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Execution",
 38    "Resources: Investigation Guide",
 39    "Data Source: Elastic Endgame",
 40    "Data Source: Elastic Defend",
 41    "Data Source: Windows Security Event Logs",
 42    "Data Source: Microsoft Defender for Endpoint",
 43    "Data Source: Sysmon",
 44    "Data Source: SentinelOne",
 45    "Data Source: Crowdstrike",
 46]
 47timestamp_override = "event.ingested"
 48type = "eql"
 49
 50query = '''
 51process where host.os.type == "windows" and event.type == "start" and
 52
 53(process.name : "node.exe" or ?process.pe.original_file_name == "node.exe" or ?process.code_signature.subject_name : "OpenJS Foundation") and
 54
 55(
 56  (process.executable : ("?:\\Users\\*\\AppData\\*\\node.exe", "\\Device\\HarddiskVolume?\\\\Users\\*\\AppData\\*\\node.exe") and process.args : "*.js") or
 57
 58  (process.args : "-r" and process.parent.name : "powershell.exe") or
 59
 60   process.command_line : ("*eval(*", "*atob(*", "*require*child_process*")
 61)
 62'''
 63note = """## Triage and analysis
 64
 65> **Disclaimer**:
 66> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 67
 68### Investigating Suspicious Execution with NodeJS
 69
 70Windows scripts, often used for legitimate automation tasks, can be exploited by adversaries to execute malicious code. Attackers may download scripts via browsers or file utilities, then execute them using scripting tools like wscript or mshta. The detection rule identifies such threats by monitoring script creation from internet sources and subsequent execution, focusing on unusual parent-child process relationships and script attributes.
 71
 72### Possible investigation steps
 73
 74- Analyze the execution event of the scripting utility (node.exe) to identify the command-line arguments used, which may provide insight into the script's intended actions.
 75- Review node.exe network, files and child process events for any suspicious activity.
 76- Verify parent and grand parent processes to assess persence of persistence and the potential initial vector.
 77- Check the user account associated with the script execution to determine if the activity is expected for that user or if it indicates a compromised account.
 78- Look for any additional related alerts or logs on the host that might indicate further malicious activity or lateral movement following the script execution.
 79
 80### False positive analysis
 81
 82- Legitimate script automation tools may trigger this rule if they download and execute scripts from the internet. Users can create exceptions for known safe tools by excluding specific file paths or process names.
 83- Software updates or installations that download scripts as part of their process might be flagged. To handle this, users can whitelist specific origin URLs or referrer URLs associated with trusted software vendors.
 84- Internal scripts distributed via corporate intranet sites could be misidentified as threats. Users should consider excluding scripts with known internal origin URLs or specific user IDs associated with IT operations.
 85- Browser extensions or plugins that automate tasks using scripts may cause false positives. Users can exclude these by identifying and excluding the specific browser process names or file extensions involved.
 86- Frequent use of file utilities like winrar or 7zFM for legitimate script handling can be excluded by specifying trusted file paths or user IDs that regularly perform these actions.
 87
 88### Response and remediation
 89
 90- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement.
 91- Terminate any suspicious processes identified in the alert, such as wscript.exe or mshta.exe, to stop the execution of the downloaded script.
 92- Quarantine the downloaded script file and any associated files to prevent further execution and facilitate forensic analysis.
 93- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
 94- Review and analyze the origin URL and referrer URL of the downloaded script to identify potential malicious websites or compromised sources, and block these URLs at the network level.
 95- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 96- Implement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities, reducing the risk of similar threats in the future."""
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1059"
104name = "Command and Scripting Interpreter"
105reference = "https://attack.mitre.org/techniques/T1059/"
106
107[[rule.threat.technique.subtechnique]]
108id = "T1059.007"
109name = "JavaScript"
110reference = "https://attack.mitre.org/techniques/T1059/007/"
111
112
113
114[rule.threat.tactic]
115id = "TA0002"
116name = "Execution"
117reference = "https://attack.mitre.org/tactics/TA0002/"