Query Details

Rule : Suspicious Node.js Process Execution with PowerShell

Node JS Suspicious Executions

Query

DeviceProcessEvents
| where FileName contains "node.exe"
| where ProcessCommandLine has_all ("http", "spawn", "execSync", "const", "powershell")

About this query

Explanation

This query is designed to detect potentially malicious activity involving the execution of Node.js processes on a system. Specifically, it looks for instances where the Node.js executable (node.exe) is run with certain suspicious command-line arguments. These arguments suggest that the process might be used for unauthorized activities, such as:

  1. Network Connections: The presence of "http" indicates that the process might be making external network connections, which could be used for data exfiltration or communication with a command-and-control server.

  2. Child Process Creation: The use of "spawn" or "execSync" suggests that the Node.js process is creating additional processes, which is a common technique used by attackers to execute further commands or scripts.

  3. JavaScript Code Execution: The keyword "const" is a JavaScript constant declaration, often seen in scripts. Its presence might indicate the execution of JavaScript code, which could be part of a malicious script.

  4. PowerShell Execution: The inclusion of "powershell" suggests that the Node.js process is executing PowerShell commands, which is a powerful tool often used by attackers to perform a variety of malicious actions on a system.

By monitoring these specific indicators within Node.js processes, the query aims to identify and alert on suspicious activities that could indicate exploitation, malware execution, or unauthorized command execution on a compromised system.

Details

Ali Hussein profile picture

Ali Hussein

Released: March 13, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

containshas_allwhere|

Actions

GitHub