KQL Search

Query Details

HomeAI ToolsDevice Query

Node JS Suspicious Executions

Query

# Rule : Suspicious Node.js Process Execution with PowerShell

## Description
This detection rule identifies suspicious executions of `node.exe` that include potentially malicious command-line arguments. Attackers often use Node.js (`node.exe`) to execute system commands, including PowerShell, to gain unauthorized access, execute malicious scripts, or establish persistence on a compromised system.

By monitoring Node.js processes with command-line arguments containing HTTP-related operations (`http`), child process creation functions (`spawn`, `execSync`), JavaScript constants (`const`), and PowerShell execution, this rule helps detect potential exploitation, malware execution, or unauthorized command execution.

## Detection Logic
- **Monitors `DeviceProcessEvents`** for processes where:
  - The `FileName` contains `"node.exe"`, and
  - The `ProcessCommandLine` contains all of the following indicators:
    - `"http"` (indicating potential external network connections)
    - `"spawn"` or `"execSync"` (indicating child process creation)
    - `"const"` (a JavaScript keyword commonly used in malicious scripts)
    - `"powershell"` (indicating potential command execution via PowerShell)

## Tags
- Node.js Execution
- PowerShell Execution
- Suspicious Command Execution
- Process Monitoring
- Code Execution via Node.js

## Search Query
```kql
DeviceProcessEvents
| where FileName contains "node.exe"
| where ProcessCommandLine has_all ("http", "spawn", "execSync", "const", "powershell")

Explanation

This query is designed to detect potentially malicious activity involving the execution of Node.js processes on a system. Specifically, it looks for instances where the Node.js executable (node.exe) is run with certain suspicious command-line arguments. These arguments suggest that the process might be used for unauthorized activities, such as:

  1. Network Connections: The presence of "http" indicates that the process might be making external network connections, which could be used for data exfiltration or communication with a command-and-control server.

  2. Child Process Creation: The use of "spawn" or "execSync" suggests that the Node.js process is creating additional processes, which is a common technique used by attackers to execute further commands or scripts.

  3. JavaScript Code Execution: The keyword "const" is a JavaScript constant declaration, often seen in scripts. Its presence might indicate the execution of JavaScript code, which could be part of a malicious script.

  4. PowerShell Execution: The inclusion of "powershell" suggests that the Node.js process is executing PowerShell commands, which is a powerful tool often used by attackers to perform a variety of malicious actions on a system.

By monitoring these specific indicators within Node.js processes, the query aims to identify and alert on suspicious activities that could indicate exploitation, malware execution, or unauthorized command execution on a compromised system.

Details

Ali Hussein profile picture

Ali Hussein

Released: March 13, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

containshas_allwhere|

Actions