Rule : Suspicious Node.js Process Execution with PowerShell
Node JS Suspicious Executions
Query
DeviceProcessEvents
| where FileName contains "node.exe"
| where ProcessCommandLine has_all ("http", "spawn", "execSync", "const", "powershell")About this query
Explanation
This query is designed to detect potentially malicious activity involving the execution of Node.js processes on a system. Specifically, it looks for instances where the Node.js executable (node.exe) is run with certain suspicious command-line arguments. These arguments suggest that the process might be used for unauthorized activities, such as:
-
Network Connections: The presence of
"http"indicates that the process might be making external network connections, which could be used for data exfiltration or communication with a command-and-control server. -
Child Process Creation: The use of
"spawn"or"execSync"suggests that the Node.js process is creating additional processes, which is a common technique used by attackers to execute further commands or scripts. -
JavaScript Code Execution: The keyword
"const"is a JavaScript constant declaration, often seen in scripts. Its presence might indicate the execution of JavaScript code, which could be part of a malicious script. -
PowerShell Execution: The inclusion of
"powershell"suggests that the Node.js process is executing PowerShell commands, which is a powerful tool often used by attackers to perform a variety of malicious actions on a system.
By monitoring these specific indicators within Node.js processes, the query aims to identify and alert on suspicious activities that could indicate exploitation, malware execution, or unauthorized command execution on a compromised system.
Details

Ali Hussein
Released: March 13, 2025
Tables
Keywords
Operators