T1059.007 Google Chronicle · YARA-L

Detect JavaScript in Google Chronicle

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.007 JavaScript
Canonical reference
https://attack.mitre.org/techniques/T1059/007/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1059_007_javascript_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects JavaScript interpreter abuse via wscript.exe, cscript.exe, mshta.exe, node.exe, or osascript with suspicious command-line patterns. Covers JScript, Node.js, and macOS JXA execution vectors used by threat actors including APT32, TA505, and FIN6."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.007"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(wscript\.exe|cscript\.exe|mshta\.exe|node\.exe|osascript)$/
    (
      $e.principal.process.command_line = /(?i)\.(js|jse|wsf|hta)(\s|"|'|$)/ or
      $e.principal.process.command_line = /(?i)(activexobject|wscript\.createobject|getobject)/ or
      $e.principal.process.command_line = /(?i)(wscript\.shell|shell\.application)/ or
      $e.principal.process.command_line = /(?i)(adodb\.stream|msxml2\.xmlhttp|winhttp\.winhttprequest)/ or
      $e.principal.process.command_line = /(?i)(eval\(|new function\(|runhtmlapplication)/ or
      $e.principal.process.command_line = /(?i)(certutil|bitsadmin|powershell|cmd\.exe|cmd\s+\/c)/ or
      $e.principal.process.command_line = /(?i)(-l javascript|scriptengine|javascript:)/
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting JavaScript interpreter abuse across all major execution vectors — JScript via wscript/cscript, MSHTA-based payloads, Node.js execution, and macOS JXA via osascript — with pattern matching on command-line indicators associated with T1059.007 threat actor TTPs.

Data Sources

Google Chronicle UDMWindows EndpointmacOS EndpointSysmon via Chronicle Ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

  • Legitimate business scripting using WScript or CScript for software deployment, network share enumeration, or Help Desk automation tools
  • Node.js web frameworks such as Express or Electron-based desktop applications invoking shell commands for system interaction
  • macOS developer workflows using osascript with JavaScript for Automator actions, Alfred workflows, or Raycast extensions
Download portable Sigma rule (.yml)

Other platforms for T1059.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1JScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe executing .js file. Child process event for cmd.exe spawned by wscript.exe. AMSI Event: JScript content inspection.

  2. Test 2Node.js Command Execution

    Expected signal: Sysmon Event ID 1: Process Create for node.exe with child_process in CommandLine. Child process event for cmd.exe spawned by node.exe.

  3. Test 3JXA Execution on macOS

    Expected signal: Unified Log: osascript process with '-l JavaScript' flag. Process tree shows osascript spawning child process for whoami. MDE DeviceProcessEvents on managed macOS endpoints.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.005Visual BasicT1059.002AppleScriptT1218.005MshtaT1189Drive-by CompromiseT1566.001Spearphishing AttachmentT1027Obfuscated Files or InformationT1559.001Component Object Model

Same Tactic: Execution

Popular Detections