Axios NPM Compromise File Creation Indicators

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects file creation events linked to the Axios NPM supply chain compromise.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "File Created or Modified" AND ( PROCESSNAME endswith "\node.exe,\powershell.exe,\pwsh.exe" AND ( (OBJECTNAME contains "\ProgramData\wt.exe,\ProgramData\system.bat" OR FILENAME contains "\ProgramData\wt.exe,\ProgramData\system.bat") OR (OBJECTNAME contains "\AppData\Local\Temp\6202033.vbs" OR FILENAME contains "\AppData\Local\Temp\6202033.vbs") )) select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME,Action1.FILETYPE,Action1.ACCESSLIST

Detection

Execution Mode

realtime

Log Sources

Windows