T1059.007 JavaScript Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "WScript.Shell", "Shell.Application",
  "Scripting.FileSystemObject", "ADODB.Stream",
  "MSXML2.XMLHTTP", "WinHttp.WinHttpRequest",
  "ActiveXObject", "new Function",
  "eval(", "WScript.CreateObject",
  "powershell", "cmd /c", "cmd.exe",
  "certutil", "bitsadmin",
  "RunHTMLApplication", "javascript:",
  "ScriptEngine", "GetObject"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe", "node.exe", "osascript")
| where ProcessCommandLine has_any (SuspiciousPatterns) or ProcessCommandLine has_any (".js", ".jse", ".wsf")
| extend IsJScript = ProcessCommandLine has_any (".js", ".jse") and FileName in~ ("wscript.exe", "cscript.exe")
| extend IsNodeJS = FileName =~ "node.exe"
| extend IsJXA = FileName =~ "osascript" and ProcessCommandLine has "-l JavaScript"
| extend ActiveXUse = ProcessCommandLine has_any ("ActiveXObject", "WScript.CreateObject", "GetObject")
| extend ShellExec = ProcessCommandLine has_any ("WScript.Shell", "Shell.Application", "powershell", "cmd /c")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsJScript, IsNodeJS, IsJXA, ActiveXUse, ShellExec
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Developers running Node.js applications on their workstations or servers
IT automation scripts using JScript/WSF for system administration tasks
macOS developers using JXA for application automation and testing
Build systems and CI/CD pipelines that invoke Node.js

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\node.exe")
| eval CommandLine=lower(CommandLine)
| eval IsJScript=if(match(CommandLine, "\.(js|jse|wsf)($|\s|\")"), 1, 0)
| eval IsNodeJS=if(match(Image, "node\.exe$"), 1, 0)
| eval ActiveXUse=if(match(CommandLine, "(activexobject|wscript\.createobject|getobject)"), 1, 0)
| eval ShellExec=if(match(CommandLine, "(wscript\.shell|shell\.application|powershell|cmd\s+/c)"), 1, 0)
| eval NetworkDownload=if(match(CommandLine, "(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest)"), 1, 0)
| eval SuspicionScore=IsJScript + ActiveXUse*2 + ShellExec*2 + NetworkDownload*2
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsJScript, IsNodeJS, ActiveXUse, ShellExec, NetworkDownload, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers running Node.js applications on workstations or servers
IT automation scripts using JScript/WSF for system administration
Build systems and CI/CD pipelines that invoke Node.js
Windows login scripts using JScript via Group Policy

Elastic Security (EQL)

eql

sequence by host.id with maxspan=30s
  [process where event.type == "start" and
   process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe", "node.exe", "osascript") and
   (
     process.args : ("*.js", "*.jse", "*.wsf", "*.hta") or
     process.command_line : ("*WScript.Shell*", "*Shell.Application*", "*ActiveXObject*",
                             "*Scripting.FileSystemObject*", "*ADODB.Stream*",
                             "*MSXML2.XMLHTTP*", "*WinHttp.WinHttpRequest*",
                             "*WScript.CreateObject*", "*GetObject*",
                             "*eval(*", "*new Function*", "*RunHTMLApplication*",
                             "*powershell*", "*cmd /c*", "*cmd.exe*",
                             "*certutil*", "*bitsadmin*", "*javascript:*",
                             "*ScriptEngine*") or
     (process.name == "osascript" and process.args : "-l" and process.args : "JavaScript")
   )
  ] by process.pid

high severity high confidence

Data Sources

Endpoint Windows Sysmon macOS Endpoint Security

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate enterprise automation scripts using WScript or CScript for IT management tasks such as software deployment or configuration management
Node.js-based development tools and build pipelines that invoke subprocess commands or network requests during normal operation
macOS JXA-based IT management scripts deployed via MDM solutions such as Jamf or Mosyle that use osascript with JavaScript

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '.*\.(js|jse|wsf)(\s|"|$).*' THEN 1
    ELSE 0
  END AS is_jscript,
  CASE
    WHEN LOWER("Command") MATCHES '.*(activexobject|wscript\.createobject|getobject).*' THEN 2
    ELSE 0
  END AS activex_score,
  CASE
    WHEN LOWER("Command") MATCHES '.*(wscript\.shell|shell\.application|powershell|cmd\s+/c).*' THEN 2
    ELSE 0
  END AS shell_score,
  CASE
    WHEN LOWER("Command") MATCHES '.*(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest).*' THEN 2
    ELSE 0
  END AS network_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14) -- Windows Security, Sysmon, and related Windows log sources
  AND QIDNAME(qid) IN ('Process Create', 'ProcessCreate')
  AND (
    LOWER("Process Name") IN ('wscript.exe', 'cscript.exe', 'mshta.exe', 'node.exe', 'osascript')
  )
  AND (
    LOWER("Command") MATCHES '.*\.(js|jse|wsf|hta)(\s|"|$).*'
    OR LOWER("Command") MATCHES '.*(activexobject|wscript\.createobject|getobject|wscript\.shell|shell\.application|adodb\.stream|msxml2\.xmlhttp|winhttp|eval\(|new function|runhtmlapplication|certutil|bitsadmin|powershell|cmd\/c|scriptengine).*'
    OR (LOWER("Process Name") = 'osascript' AND LOWER("Command") MATCHES '.*-l javascript.*')
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon QRadar Windows DSM

Required Tables

events

False Positives

Legitimate Windows administrative scripts using CScript or WScript for enterprise automation, inventory management, or software deployment tools
Development and CI/CD pipeline tooling that uses Node.js with subprocess invocations for build automation
Security tools and vulnerability scanners that may invoke HTA or script-based components as part of legitimate scanning activity

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /EventCode=1|EventID=1|ProcessCreate/
| parse regex field=_raw "(?:Image|process\.name)[=:\s]+['"]?(?<process_name>[^'"\s,]+)" nodrop
| parse regex field=_raw "(?:CommandLine|command_line|process\.command_line)[=:\s]+['"]?(?<command_line>[^'"\n]+)" nodrop
| parse regex field=_raw "(?:ParentImage|parent\.process\.name)[=:\s]+['"]?(?<parent_image>[^'"\s,]+)" nodrop
| parse regex field=_raw "(?:User|username)[=:\s]+['"]?(?<username>[^'"\s,]+)" nodrop
| parse regex field=_raw "(?:Computer|host\.name|hostname)[=:\s]+['"]?(?<hostname>[^'"\s,]+)" nodrop
| where process_name matches /(?i)(wscript\.exe|cscript\.exe|mshta\.exe|node\.exe|osascript)/
| where command_line matches /(?i)(\.(js|jse|wsf|hta)(\s|"|'|$)|activexobject|wscript\.createobject|getobject|wscript\.shell|shell\.application|adodb\.stream|msxml2\.xmlhttp|winhttp|winhttprequest|eval\(|new function|runhtmlapplication|certutil|bitsadmin|powershell|cmd\s+\/c|scriptengine|-l javascript)/
| eval is_jscript = if(command_line matches /(?i)\.(js|jse|wsf)/, 1, 0)
| eval is_nodejs = if(process_name matches /(?i)node\.exe/, 1, 0)
| eval is_jxa = if(process_name matches /(?i)osascript/ and command_line matches /(?i)-l javascript/, 1, 0)
| eval activex_use = if(command_line matches /(?i)(activexobject|wscript\.createobject|getobject)/, 1, 0)
| eval shell_exec = if(command_line matches /(?i)(wscript\.shell|shell\.application|powershell|cmd\s+\/c)/, 1, 0)
| eval network_download = if(command_line matches /(?i)(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest)/, 1, 0)
| eval suspicion_score = is_jscript + (activex_use * 2) + (shell_exec * 2) + (network_download * 2)
| where suspicion_score > 0
| fields _messagetime, hostname, username, process_name, command_line, parent_image, is_jscript, is_nodejs, is_jxa, activex_use, shell_exec, network_download, suspicion_score
| sort by _messagetime desc

high severity medium confidence

Data Sources

Windows Event Log Sysmon macOS Endpoint CrowdStrike Falcon

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Enterprise IT automation relying on WScript or CScript for asset discovery, patch management, or configuration baselines
Node.js applications with shell-out patterns in build systems like Webpack, Gulp, or Grunt that use child_process to invoke commands
macOS management scripts using osascript with the -l JavaScript flag for legitimate Finder automation or MDM-deployed tooling

Google Chronicle / SecOps

yaral

rule t1059_007_javascript_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects JavaScript interpreter abuse via wscript.exe, cscript.exe, mshta.exe, node.exe, or osascript with suspicious command-line patterns. Covers JScript, Node.js, and macOS JXA execution vectors used by threat actors including APT32, TA505, and FIN6."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.007"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(wscript\.exe|cscript\.exe|mshta\.exe|node\.exe|osascript)$/
    (
      $e.principal.process.command_line = /(?i)\.(js|jse|wsf|hta)(\s|"|'|$)/ or
      $e.principal.process.command_line = /(?i)(activexobject|wscript\.createobject|getobject)/ or
      $e.principal.process.command_line = /(?i)(wscript\.shell|shell\.application)/ or
      $e.principal.process.command_line = /(?i)(adodb\.stream|msxml2\.xmlhttp|winhttp\.winhttprequest)/ or
      $e.principal.process.command_line = /(?i)(eval\(|new function\(|runhtmlapplication)/ or
      $e.principal.process.command_line = /(?i)(certutil|bitsadmin|powershell|cmd\.exe|cmd\s+\/c)/ or
      $e.principal.process.command_line = /(?i)(-l javascript|scriptengine|javascript:)/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint macOS Endpoint Sysmon via Chronicle Ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate business scripting using WScript or CScript for software deployment, network share enumeration, or Help Desk automation tools
Node.js web frameworks such as Express or Electron-based desktop applications invoking shell commands for system interaction
macOS developer workflows using osascript with JavaScript for Automator actions, Alfred workflows, or Raycast extensions

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(wscript\.exe|cscript\.exe|mshta\.exe|node\.exe|osascript)$/
| CommandLine = /(?i)(\.(js|jse|wsf|hta)(\s|"|'|$)|activexobject|wscript\.createobject|getobject|wscript\.shell|shell\.application|adodb\.stream|msxml2\.xmlhttp|winhttp\.winhttprequest|eval\(|new\s+function\(|runhtmlapplication|certutil|bitsadmin|powershell|cmd\.exe|cmd\s+\/c|scriptengine|-l\s+javascript|javascript:)/
| eval IsJScript = if(CommandLine = /(?i)\.(js|jse|wsf)/, "true", "false")
| eval IsNodeJS = if(ImageFileName = /(?i)node\.exe$/, "true", "false")
| eval IsJXA = if(ImageFileName = /(?i)osascript$/ AND CommandLine = /(?i)-l javascript/, "true", "false")
| eval ActiveXUse = if(CommandLine = /(?i)(activexobject|wscript\.createobject|getobject)/, 1, 0)
| eval ShellExec = if(CommandLine = /(?i)(wscript\.shell|shell\.application|powershell|cmd\s+\/c)/, 1, 0)
| eval NetworkDownload = if(CommandLine = /(?i)(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest)/, 1, 0)
| eval SuspicionScore = ActiveXUse * 2 + ShellExec * 2 + NetworkDownload * 2 + if(IsJScript = "true", 1, 0)
| where SuspicionScore > 0
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsJScript, IsNodeJS, IsJXA, ActiveXUse, ShellExec, NetworkDownload, SuspicionScore]
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Falcon ProcessRollup2 Events

Required Tables

ProcessRollup2

False Positives

Legitimate use of Windows Script Host by enterprise software vendors for installation, licensing checks, or diagnostic scripts included in their products
Node.js-based monitoring agents such as Datadog or New Relic that use child_process.exec to collect system metrics and perform health checks
Red team or penetration testing tooling executing JavaScript payloads in authorized assessments without exclusions configured in the Falcon policy

JavaScript

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections