Techniques
Sample rules
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- source: sigma
- technicques:
- t1059
- t1059.007
Description
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains|all:
- http
- execSync
- spawn
- fs
- path
- zlib
selection_img:
- Image|endswith: \node.exe
- OriginalFileName: node.exe
- Product: Node.js