Detect JavaScript in Splunk
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.007 JavaScript
- Canonical reference
- https://attack.mitre.org/techniques/T1059/007/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\node.exe")
| eval CommandLine=lower(CommandLine)
| eval IsJScript=if(match(CommandLine, "\.(js|jse|wsf)($|\s|\")"), 1, 0)
| eval IsNodeJS=if(match(Image, "node\.exe$"), 1, 0)
| eval ActiveXUse=if(match(CommandLine, "(activexobject|wscript\.createobject|getobject)"), 1, 0)
| eval ShellExec=if(match(CommandLine, "(wscript\.shell|shell\.application|powershell|cmd\s+/c)"), 1, 0)
| eval NetworkDownload=if(match(CommandLine, "(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest)"), 1, 0)
| eval SuspicionScore=IsJScript + ActiveXUse*2 + ShellExec*2 + NetworkDownload*2
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsJScript, IsNodeJS, ActiveXUse, ShellExec, NetworkDownload, SuspicionScore
| sort - _timeDetects suspicious JavaScript execution on Windows using Sysmon Event ID 1. Covers JScript (.js/.jse) via Windows Script Host, Node.js, and MSHTA. Evaluates for ActiveX COM object abuse, shell command execution, and network downloads. Higher-weight scoring for shell execution and network activity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Developers running Node.js applications on workstations or servers
- IT automation scripts using JScript/WSF for system administration
- Build systems and CI/CD pipelines that invoke Node.js
- Windows login scripts using JScript via Group Policy
Other platforms for T1059.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1JScript Execution via wscript.exe
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe executing .js file. Child process event for cmd.exe spawned by wscript.exe. AMSI Event: JScript content inspection.
- Test 2Node.js Command Execution
Expected signal: Sysmon Event ID 1: Process Create for node.exe with child_process in CommandLine. Child process event for cmd.exe spawned by node.exe.
- Test 3JXA Execution on macOS
Expected signal: Unified Log: osascript process with '-l JavaScript' flag. Process tree shows osascript spawning child process for whoami. MDE DeviceProcessEvents on managed macOS endpoints.
References (6)
- https://attack.mitre.org/techniques/T1059/007/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md
- https://nodejs.org/
- https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://lolbas-project.github.io/
Unlock Pro Content
Get the full detection package for T1059.007 including response playbook, investigation guide, and atomic red team tests.