Detect JavaScript in Elastic Security
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.007 JavaScript
- Canonical reference
- https://attack.mitre.org/techniques/T1059/007/
Elastic Detection Query
sequence by host.id with maxspan=30s
[process where event.type == "start" and
process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe", "node.exe", "osascript") and
(
process.args : ("*.js", "*.jse", "*.wsf", "*.hta") or
process.command_line : ("*WScript.Shell*", "*Shell.Application*", "*ActiveXObject*",
"*Scripting.FileSystemObject*", "*ADODB.Stream*",
"*MSXML2.XMLHTTP*", "*WinHttp.WinHttpRequest*",
"*WScript.CreateObject*", "*GetObject*",
"*eval(*", "*new Function*", "*RunHTMLApplication*",
"*powershell*", "*cmd /c*", "*cmd.exe*",
"*certutil*", "*bitsadmin*", "*javascript:*",
"*ScriptEngine*") or
(process.name == "osascript" and process.args : "-l" and process.args : "JavaScript")
)
] by process.pidDetects JavaScript abuse via wscript.exe, cscript.exe, mshta.exe, node.exe, or osascript executing suspicious patterns including ActiveX object creation, shell execution, network downloads, and encoded payload delivery consistent with T1059.007.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise automation scripts using WScript or CScript for IT management tasks such as software deployment or configuration management
- Node.js-based development tools and build pipelines that invoke subprocess commands or network requests during normal operation
- macOS JXA-based IT management scripts deployed via MDM solutions such as Jamf or Mosyle that use osascript with JavaScript
Other platforms for T1059.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1JScript Execution via wscript.exe
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe executing .js file. Child process event for cmd.exe spawned by wscript.exe. AMSI Event: JScript content inspection.
- Test 2Node.js Command Execution
Expected signal: Sysmon Event ID 1: Process Create for node.exe with child_process in CommandLine. Child process event for cmd.exe spawned by node.exe.
- Test 3JXA Execution on macOS
Expected signal: Unified Log: osascript process with '-l JavaScript' flag. Process tree shows osascript spawning child process for whoami. MDE DeviceProcessEvents on managed macOS endpoints.
References (6)
- https://attack.mitre.org/techniques/T1059/007/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md
- https://nodejs.org/
- https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://lolbas-project.github.io/
Unlock Pro Content
Get the full detection package for T1059.007 including response playbook, investigation guide, and atomic red team tests.