NodeJS Execution of JavaScript File

Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.

Sigma rule (View on GitHub)

 1title: NodeJS Execution of JavaScript File
 2id: ba3874b9-0fae-465f-836c-eb5d071a1789
 3status: experimental
 4description: |
 5    Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.
 6    Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.
 7    Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.
 8    Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.    
 9references:
10    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-04-21
13tags:
14    - attack.execution
15    - attack.t1059.007
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\node.exe'
22        - OriginalFileName: 'node.exe'
23        - Product: 'Node.js'
24    selection_cmd:
25        CommandLine|contains: '.js'
26    condition: all of selection_*
27falsepositives:
28    - Legitimate use of node.exe to execute JavaScript or JSC files on your environment
29level: low

References

Related rules

to-top