Detection / DETPublic file

Node.js Runtime Added to Current User Run Key

Detects a current-user Windows Run key value whose data invokes Node.js. The rule requires registry-set telemetry with the full target path and written data and does not depend on campaign-specific value names or infrastructure.

Sigma source

Raw YAML
title: Node.js Runtime Added to Current User Run Key
id: 935cfd8d-6d2b-4b9d-bea9-7af07e9d9d1f
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects a current-user Windows Run key value whose data invokes Node.js. The rule requires registry-set telemetry with the full target path and written data and does not depend on campaign-specific value names or infrastructure.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/07/15/unpacking-asyncapi-npm-supply-chain-compromise-import-time-payload-delivery/
logsource:
  category: registry_set
  product: windows
detection:
  selection_path:
    TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run'
  selection_runtime:
    Details|contains:
      - 'node.exe'
      - 'node '
  condition: selection_path and selection_runtime
falsepositives:
  - User-scoped developer tooling or legitimate applications that intentionally start a Node.js service at logon
  - Software installation or repair activity that registers an approved Node.js component
level: high
tags:
  - attack.persistence
  - attack.t1547.001

Relationships

Related files