T1059.007 CrowdStrike LogScale · LogScale

Detect JavaScript in CrowdStrike LogScale

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.007 JavaScript
Canonical reference
https://attack.mitre.org/techniques/T1059/007/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(wscript\.exe|cscript\.exe|mshta\.exe|node\.exe|osascript)$/
| CommandLine = /(?i)(\.(js|jse|wsf|hta)(\s|"|'|$)|activexobject|wscript\.createobject|getobject|wscript\.shell|shell\.application|adodb\.stream|msxml2\.xmlhttp|winhttp\.winhttprequest|eval\(|new\s+function\(|runhtmlapplication|certutil|bitsadmin|powershell|cmd\.exe|cmd\s+\/c|scriptengine|-l\s+javascript|javascript:)/
| eval IsJScript = if(CommandLine = /(?i)\.(js|jse|wsf)/, "true", "false")
| eval IsNodeJS = if(ImageFileName = /(?i)node\.exe$/, "true", "false")
| eval IsJXA = if(ImageFileName = /(?i)osascript$/ AND CommandLine = /(?i)-l javascript/, "true", "false")
| eval ActiveXUse = if(CommandLine = /(?i)(activexobject|wscript\.createobject|getobject)/, 1, 0)
| eval ShellExec = if(CommandLine = /(?i)(wscript\.shell|shell\.application|powershell|cmd\s+\/c)/, 1, 0)
| eval NetworkDownload = if(CommandLine = /(?i)(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest)/, 1, 0)
| eval SuspicionScore = ActiveXUse * 2 + ShellExec * 2 + NetworkDownload * 2 + if(IsJScript = "true", 1, 0)
| where SuspicionScore > 0
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsJScript, IsNodeJS, IsJXA, ActiveXUse, ShellExec, NetworkDownload, SuspicionScore]
| sort(field=@timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (CQL) query using ProcessRollup2 events to detect JavaScript interpreter abuse. Applies weighted suspicion scoring across JScript execution, ActiveX object instantiation, shell spawn chains, and in-script network download patterns associated with T1059.007. Covers wscript, cscript, mshta, node, and osascript.

Data Sources

CrowdStrike Falcon EndpointFalcon ProcessRollup2 Events

Required Tables

ProcessRollup2

False Positives & Tuning

  • Legitimate use of Windows Script Host by enterprise software vendors for installation, licensing checks, or diagnostic scripts included in their products
  • Node.js-based monitoring agents such as Datadog or New Relic that use child_process.exec to collect system metrics and perform health checks
  • Red team or penetration testing tooling executing JavaScript payloads in authorized assessments without exclusions configured in the Falcon policy
Download portable Sigma rule (.yml)

Other platforms for T1059.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1JScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe executing .js file. Child process event for cmd.exe spawned by wscript.exe. AMSI Event: JScript content inspection.

  2. Test 2Node.js Command Execution

    Expected signal: Sysmon Event ID 1: Process Create for node.exe with child_process in CommandLine. Child process event for cmd.exe spawned by node.exe.

  3. Test 3JXA Execution on macOS

    Expected signal: Unified Log: osascript process with '-l JavaScript' flag. Process tree shows osascript spawning child process for whoami. MDE DeviceProcessEvents on managed macOS endpoints.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.005Visual BasicT1059.002AppleScriptT1218.005MshtaT1189Drive-by CompromiseT1566.001Spearphishing AttachmentT1027Obfuscated Files or InformationT1559.001Component Object Model

Same Tactic: Execution

Popular Detections