Detect JavaScript in IBM QRadar
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.007 JavaScript
- Canonical reference
- https://attack.mitre.org/techniques/T1059/007/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip,
username,
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process Name" AS parent_process,
CASE
WHEN LOWER("Command") MATCHES '.*\.(js|jse|wsf)(\s|"|$).*' THEN 1
ELSE 0
END AS is_jscript,
CASE
WHEN LOWER("Command") MATCHES '.*(activexobject|wscript\.createobject|getobject).*' THEN 2
ELSE 0
END AS activex_score,
CASE
WHEN LOWER("Command") MATCHES '.*(wscript\.shell|shell\.application|powershell|cmd\s+/c).*' THEN 2
ELSE 0
END AS shell_score,
CASE
WHEN LOWER("Command") MATCHES '.*(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest).*' THEN 2
ELSE 0
END AS network_score
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 14) -- Windows Security, Sysmon, and related Windows log sources
AND QIDNAME(qid) IN ('Process Create', 'ProcessCreate')
AND (
LOWER("Process Name") IN ('wscript.exe', 'cscript.exe', 'mshta.exe', 'node.exe', 'osascript')
)
AND (
LOWER("Command") MATCHES '.*\.(js|jse|wsf|hta)(\s|"|$).*'
OR LOWER("Command") MATCHES '.*(activexobject|wscript\.createobject|getobject|wscript\.shell|shell\.application|adodb\.stream|msxml2\.xmlhttp|winhttp|eval\(|new function|runhtmlapplication|certutil|bitsadmin|powershell|cmd\/c|scriptengine).*'
OR (LOWER("Process Name") = 'osascript' AND LOWER("Command") MATCHES '.*-l javascript.*')
)
AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 1000QRadar AQL query detecting JavaScript interpreter abuse by monitoring process creation events for wscript.exe, cscript.exe, mshta.exe, node.exe, and osascript with suspicious command-line patterns indicative of T1059.007 including ActiveX use, shell invocation, and network download activity.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Windows administrative scripts using CScript or WScript for enterprise automation, inventory management, or software deployment tools
- Development and CI/CD pipeline tooling that uses Node.js with subprocess invocations for build automation
- Security tools and vulnerability scanners that may invoke HTA or script-based components as part of legitimate scanning activity
Other platforms for T1059.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1JScript Execution via wscript.exe
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe executing .js file. Child process event for cmd.exe spawned by wscript.exe. AMSI Event: JScript content inspection.
- Test 2Node.js Command Execution
Expected signal: Sysmon Event ID 1: Process Create for node.exe with child_process in CommandLine. Child process event for cmd.exe spawned by node.exe.
- Test 3JXA Execution on macOS
Expected signal: Unified Log: osascript process with '-l JavaScript' flag. Process tree shows osascript spawning child process for whoami. MDE DeviceProcessEvents on managed macOS endpoints.
References (6)
- https://attack.mitre.org/techniques/T1059/007/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md
- https://nodejs.org/
- https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://lolbas-project.github.io/
Unlock Pro Content
Get the full detection package for T1059.007 including response playbook, investigation guide, and atomic red team tests.