NodeJS Execution of JavaScript File
Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
Sigma rule (View on GitHub)
1title: NodeJS Execution of JavaScript File
2id: ba3874b9-0fae-465f-836c-eb5d071a1789
3status: experimental
4description: |
5 Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.
6 Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.
7 Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.
8 Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
9references:
10 - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-04-21
13tags:
14 - attack.execution
15 - attack.t1059.007
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\node.exe'
22 - OriginalFileName: 'node.exe'
23 - Product: 'Node.js'
24 selection_cmd:
25 CommandLine|contains: '.js'
26 condition: all of selection_*
27falsepositives:
28 - Legitimate use of node.exe to execute JavaScript or JSC files on your environment
29level: low
References
-
Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.
Read More
Related rules
- Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- MSHTA Execution with Suspicious File Extensions
- Node Process Executions
- Suspicious Deno File Written from Remote Source
- Potential Dropper Script Execution Via WScript/CScript