T1059.007 Microsoft Sentinel · KQL

Detect JavaScript in Microsoft Sentinel

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.007 JavaScript
Canonical reference
https://attack.mitre.org/techniques/T1059/007/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousPatterns = dynamic([
  "WScript.Shell", "Shell.Application",
  "Scripting.FileSystemObject", "ADODB.Stream",
  "MSXML2.XMLHTTP", "WinHttp.WinHttpRequest",
  "ActiveXObject", "new Function",
  "eval(", "WScript.CreateObject",
  "powershell", "cmd /c", "cmd.exe",
  "certutil", "bitsadmin",
  "RunHTMLApplication", "javascript:",
  "ScriptEngine", "GetObject"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe", "node.exe", "osascript")
| where ProcessCommandLine has_any (SuspiciousPatterns) or ProcessCommandLine has_any (".js", ".jse", ".wsf")
| extend IsJScript = ProcessCommandLine has_any (".js", ".jse") and FileName in~ ("wscript.exe", "cscript.exe")
| extend IsNodeJS = FileName =~ "node.exe"
| extend IsJXA = FileName =~ "osascript" and ProcessCommandLine has "-l JavaScript"
| extend ActiveXUse = ProcessCommandLine has_any ("ActiveXObject", "WScript.CreateObject", "GetObject")
| extend ShellExec = ProcessCommandLine has_any ("WScript.Shell", "Shell.Application", "powershell", "cmd /c")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsJScript, IsNodeJS, IsJXA, ActiveXUse, ShellExec
| sort by Timestamp desc
high severity medium confidence

Detects suspicious JavaScript execution across Windows (JScript via wscript/cscript, Node.js) and macOS (JXA via osascript) using MDE. Identifies ActiveX object creation, shell command execution, and network download patterns common in JavaScript-based malware including SocGholish, Latrodectus, and BlackByte.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Developers running Node.js applications on their workstations or servers
  • IT automation scripts using JScript/WSF for system administration tasks
  • macOS developers using JXA for application automation and testing
  • Build systems and CI/CD pipelines that invoke Node.js
Download portable Sigma rule (.yml)

Other platforms for T1059.007

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1JScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe executing .js file. Child process event for cmd.exe spawned by wscript.exe. AMSI Event: JScript content inspection.

  2. Test 2Node.js Command Execution

    Expected signal: Sysmon Event ID 1: Process Create for node.exe with child_process in CommandLine. Child process event for cmd.exe spawned by node.exe.

  3. Test 3JXA Execution on macOS

    Expected signal: Unified Log: osascript process with '-l JavaScript' flag. Process tree shows osascript spawning child process for whoami. MDE DeviceProcessEvents on managed macOS endpoints.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.005Visual BasicT1059.002AppleScriptT1218.005MshtaT1189Drive-by CompromiseT1566.001Spearphishing AttachmentT1027Obfuscated Files or InformationT1559.001Component Object Model

Same Tactic: Execution

Popular Detections