KQL Search

This query is designed to identify potentially malicious activity involving Node.js. Specifically, it looks for instances where Node.js is used to execute files with font-related extensions such as .woff, .woff2, .ttf, or .otf. This behavior is unusual and may indicate that these files are being used to disguise malicious scripts or payloads.

Key Points:

• Purpose: To detect suspicious use of Node.js for executing files that are typically static assets (fonts), which could be a sign of masquerading and malicious activity.
• Detection Criteria:
  • The process being executed is Node.js (node.exe or node).
  • The command line includes font file extensions, suggesting these files are being executed rather than used as intended.
• Related Threat Techniques:
  • Command and Scripting Interpreter (T1059): Using scripts or command-line interpreters for execution.
  • Obfuscated Files or Information (T1027): Using obfuscation to hide the true nature of files or commands.
• Tags: This activity is associated with execution, defense evasion, masquerading, and supply chain threats.
• Context: The query references the PolinRider Campaign and OpenSourceMalware research, indicating real-world relevance and examples of such tactics.

In summary, this query helps security teams detect and investigate suspicious Node.js activity that could be part of a broader attack strategy involving disguised malicious scripts.