Rule : Suspicious Node.js Execution of Masqueraded Font Payload
Polin Rider Node
Query
DeviceProcessEvents
| where FileName in~ ("node.exe", "node")
| where ProcessCommandLine has_any (".woff", ".woff2", ".ttf", ".otf")About this query
Rule : Suspicious Node.js Execution of Masqueraded Font Payload
Description
Detects Node.js executing font/static asset extensions (e.g., .woff2) indicating masquerading and malicious execution.
Detection Logic
- Node process execution
- Command line contains .woff/.woff2/.ttf/.otf
MITRE ATT&CK
- T1059 – Command and Scripting Interpreter
- T1027 – Obfuscated Files or Information
Tags
Execution, Defense Evasion, Masquerading, Supply Chain
Search Query
References
- PolinRider Campaign
- OpenSourceMalware research
Explanation
This query is designed to identify potentially malicious activity involving Node.js. Specifically, it looks for instances where Node.js is used to execute files with font-related extensions such as .woff, .woff2, .ttf, or .otf. This behavior is unusual and may indicate that these files are being used to disguise malicious scripts or payloads.
Key Points:
- Purpose: To detect suspicious use of Node.js for executing files that are typically static assets (fonts), which could be a sign of masquerading and malicious activity.
- Detection Criteria:
- The process being executed is Node.js (
node.exeornode). - The command line includes font file extensions, suggesting these files are being executed rather than used as intended.
- The process being executed is Node.js (
- Related Threat Techniques:
- Command and Scripting Interpreter (T1059): Using scripts or command-line interpreters for execution.
- Obfuscated Files or Information (T1027): Using obfuscation to hide the true nature of files or commands.
- Tags: This activity is associated with execution, defense evasion, masquerading, and supply chain threats.
- Context: The query references the PolinRider Campaign and OpenSourceMalware research, indicating real-world relevance and examples of such tactics.
In summary, this query helps security teams detect and investigate suspicious Node.js activity that could be part of a broader attack strategy involving disguised malicious scripts.
