From ddec67b836a9973b9fdc37d31e05be52420c2e77 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Mon, 30 Jun 2025 09:02:04 +0000
Subject: [PATCH] feat(threat-hunting): NodeJS spawning cmd.exe

---
 source/threat-hunting/index.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 0fd82b4..247e1f4 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -1120,6 +1120,16 @@ SPL:
 | rename Filesystem.* AS *, signature_id AS EventCode, signature AS EventDescription, file_name AS ShareName, file_path AS ShareLocalPath, file_target AS RelativeTargetName
 ```
 
+## NodeJS spawning cmd.exe
+
+References: [1](https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2025/)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.parent_process_name="node.exe" Processes.process_name IN ("cmd.exe", "powershell.exe", "pwsh.exe") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```
+
 ## OneNote IOC
 
 References: [1](https://redcanary.com/blog/intelligence-insights-february-2023/)