Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
2id: 8537c866-072e-460d-bfff-aaf39cbd73d3
3status: experimental
4description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
7author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
8date: 2025-04-21
9tags:
10 - attack.execution
11 - attack.t1059.007
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith: '\node.exe'
18 - OriginalFileName: 'node.exe'
19 - Product: 'Node.js'
20 selection_cmd:
21 CommandLine|contains|all:
22 - 'http'
23 - 'execSync'
24 - 'spawn'
25 - 'fs'
26 - 'path'
27 - 'zlib'
28 condition: all of selection_*
29falsepositives:
30 - Legitimate scripts using Node.js with these modules
31level: medium
References
Related rules
- NodeJS Execution of JavaScript File
- MSHTA Execution with Suspicious File Extensions
- Node Process Executions
- Suspicious Deno File Written from Remote Source
- Potential Dropper Script Execution Via WScript/CScript