Detection & Response
Sigma Rules
YAML
---
title: Suspicious Node.js Child Process - PowerShell/CMD
id: 8e4b6c1a-1f20-4a3d-9b5a-2c1e3d4a5b6c
status: experimental
description: Detects Node.js processes spawning PowerShell or Command Prompt, often indicative of malicious npm packages like the Axios supply chain attack executing shell commands.
references:
- https://attack.mitre.org/techniques/T1059/003/
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2024/04/19
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\node.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
condition: selection
falsepositives:
- Legitimate development scripts invoking system tools
level: high
---
title: NPM Install Spawning Shell
id: 3c5d8e2f-4g6h-7i8j-9k0l-1m2n3o4p5q6r
status: experimental
description: Detects npm (Node Package Manager) spawning a shell during package installation, a common technique in supply chain attacks using pre/post-install scripts.
references:
- https://attack.mitre.org/techniques/T1195.002/
author: Security Arsenal
date: 2024/04/19
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\npm.cmd'
- '\npm.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate build scripts that require system configuration
level: medium
socthreat-intelmanaged-socsupply-chainnpmnodejssoc-mdrincident-response
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.