This detection rule identifies instances where the Node.js executable (node.exe), a widely utilized JavaScript runtime environment, is used to execute JavaScript (.js) or JavaScript Core (.jsc) files. The rule is designed to detect potentially malicious activities as attackers have been known to exploit Node.js to covertly run malware while masquerading as legitimate processes. This method of evasion poses a significant threat, particularly in environments where Node.js execution is infrequent. Although this rule has been crafted with the understanding that legitimate Node.js operations may lead to false positives, it is crucial to thoroughly investigate any unusual occurrences of this execution pattern, especially in contexts where Node.js usage is minimal or atypical. The rule leverages process creation logs in Windows environments to identify the specific command line arguments that trigger the execution of JavaScript files using node.exe, leveraging characteristics unique to the Node.js product. This proactive security measure is operational but is still marked as experimental, indicating ongoing refinement and assessment of its efficacy.