Techniques
Sample rules
NodeJS Execution of JavaScript File
- source: sigma
- technicques:
- t1059
- t1059.007
Description
Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains: .js
selection_img:
- Image|endswith: \node.exe
- OriginalFileName: node.exe
- Product: Node.js