LoFP LoFP / legitimate use of node.exe to execute javascript or jsc files on your environment

Techniques

Sample rules

NodeJS Execution of JavaScript File

Description

Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.

Detection logic

condition: all of selection_*
selection_cmd:
  CommandLine|contains: .js
selection_img:
- Image|endswith: \node.exe
- OriginalFileName: node.exe
- Product: Node.js