Obfuscated Node.js Execution via CommandLine

Rule Info

Name
Obfuscated Node.js Execution via CommandLine
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
Reference
https://www.linkedin.com/posts/a-closer-look-at-contagious-interview-a-share-7426656611596705792-qhBh/
Date
2026-03-10 00:00:00
Modified
None
Id
17f5c211-12f0-4746-9e72-d78b3645dd9b
Tags
attack.execution attack.t1059.007 attack.defense-evasion attack.t1027.008 attack.t1027.010
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022