Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
2id: 8537c866-072e-460d-bfff-aaf39cbd73d3
3status: experimental
4description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
7author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
8date: 2025-04-21
9tags:
10 - attack.execution
11 - attack.t1059.007
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith: '\node.exe'
18 - OriginalFileName: 'node.exe'
19 - Product: 'Node.js'
20 selection_cmd:
21 CommandLine|contains|all:
22 - 'http'
23 - 'execSync'
24 - 'spawn'
25 - 'fs'
26 - 'path'
27 - 'zlib'
28 condition: all of selection_*
29falsepositives:
30 - Legitimate scripts using Node.js with these modules
31level: medium
References
-
Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.
Read More
Related rules
- NodeJS Execution of JavaScript File
- MSHTA Execution with Suspicious File Extensions
- Node Process Executions
- Suspicious Deno File Written from Remote Source
- Potential Dropper Script Execution Via WScript/CScript