Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowexperimental

NodeJS Execution of JavaScript File

Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Apr 21ba3874b9-0fae-465f-836c-eb5d071a1789windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\node.exe'
        - OriginalFileName: 'node.exe'
        - Product: 'Node.js'
    selection_cmd:
        CommandLine|contains: '.js'
    condition: all of selection_*
False Positives

Legitimate use of node.exe to execute JavaScript or JSC files on your environment

References
1
Resolving title…
microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
ba3874b9-0fae-465f-836c-eb5d071a1789
Status
experimental
Level
low
Type
Detection
Created
Mon Apr 21
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_security_susp_node_js_execution.yml
Raw Tags
attack.executionattack.t1059.007
View on GitHub