sigmamediumHunting

Potentially Suspicious Inline JavaScript Execution via NodeJS Binary

Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.

MITRE ATT&CK

execution

Detection Query

selection_img:
  - Image|endswith: \node.exe
  - OriginalFileName: node.exe
  - Product: Node.js
selection_cmd:
  CommandLine|contains|all:
    - http
    - execSync
    - spawn
    - fs
    - path
    - zlib
condition: all of selection_*

Author

Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-04-21

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/

Tags

attack.executionattack.t1059.007

Raw Content

title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
id: 8537c866-072e-460d-bfff-aaf39cbd73d3
status: experimental
description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
references:
    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\node.exe'
        - OriginalFileName: 'node.exe'
        - Product: 'Node.js'
    selection_cmd:
        CommandLine|contains|all:
            - 'http'
            - 'execSync'
            - 'spawn'
            - 'fs'
            - 'path'
            - 'zlib'
    condition: all of selection_*
falsepositives:
    - Legitimate scripts using Node.js with these modules
level: medium