T1059.007 Sumo Logic CSE · Sumo

Detect JavaScript in Sumo Logic CSE

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.007 JavaScript
Canonical reference
https://attack.mitre.org/techniques/T1059/007/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /EventCode=1|EventID=1|ProcessCreate/
| parse regex field=_raw "(?:Image|process\.name)[=:\s]+['"]?(?<process_name>[^'"\s,]+)" nodrop
| parse regex field=_raw "(?:CommandLine|command_line|process\.command_line)[=:\s]+['"]?(?<command_line>[^'"\n]+)" nodrop
| parse regex field=_raw "(?:ParentImage|parent\.process\.name)[=:\s]+['"]?(?<parent_image>[^'"\s,]+)" nodrop
| parse regex field=_raw "(?:User|username)[=:\s]+['"]?(?<username>[^'"\s,]+)" nodrop
| parse regex field=_raw "(?:Computer|host\.name|hostname)[=:\s]+['"]?(?<hostname>[^'"\s,]+)" nodrop
| where process_name matches /(?i)(wscript\.exe|cscript\.exe|mshta\.exe|node\.exe|osascript)/
| where command_line matches /(?i)(\.(js|jse|wsf|hta)(\s|"|'|$)|activexobject|wscript\.createobject|getobject|wscript\.shell|shell\.application|adodb\.stream|msxml2\.xmlhttp|winhttp|winhttprequest|eval\(|new function|runhtmlapplication|certutil|bitsadmin|powershell|cmd\s+\/c|scriptengine|-l javascript)/
| eval is_jscript = if(command_line matches /(?i)\.(js|jse|wsf)/, 1, 0)
| eval is_nodejs = if(process_name matches /(?i)node\.exe/, 1, 0)
| eval is_jxa = if(process_name matches /(?i)osascript/ and command_line matches /(?i)-l javascript/, 1, 0)
| eval activex_use = if(command_line matches /(?i)(activexobject|wscript\.createobject|getobject)/, 1, 0)
| eval shell_exec = if(command_line matches /(?i)(wscript\.shell|shell\.application|powershell|cmd\s+\/c)/, 1, 0)
| eval network_download = if(command_line matches /(?i)(msxml2\.xmlhttp|winhttp|adodb\.stream|xmlhttprequest)/, 1, 0)
| eval suspicion_score = is_jscript + (activex_use * 2) + (shell_exec * 2) + (network_download * 2)
| where suspicion_score > 0
| fields _messagetime, hostname, username, process_name, command_line, parent_image, is_jscript, is_nodejs, is_jxa, activex_use, shell_exec, network_download, suspicion_score
| sort by _messagetime desc
high severity medium confidence

Sumo Logic query detecting JavaScript interpreter abuse via process creation events, applying weighted suspicion scoring across key behavioral indicators: JScript/JXA execution, ActiveX object creation, shell execution chains, and network download patterns consistent with T1059.007.

Data Sources

Windows Event LogSysmonmacOS EndpointCrowdStrike Falcon

Required Tables

_sourceCategory=*windows*_sourceCategory=*sysmon*_sourceCategory=*endpoint*

False Positives & Tuning

  • Enterprise IT automation relying on WScript or CScript for asset discovery, patch management, or configuration baselines
  • Node.js applications with shell-out patterns in build systems like Webpack, Gulp, or Grunt that use child_process to invoke commands
  • macOS management scripts using osascript with the -l JavaScript flag for legitimate Finder automation or MDM-deployed tooling
Download portable Sigma rule (.yml)

Other platforms for T1059.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1JScript Execution via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe executing .js file. Child process event for cmd.exe spawned by wscript.exe. AMSI Event: JScript content inspection.

  2. Test 2Node.js Command Execution

    Expected signal: Sysmon Event ID 1: Process Create for node.exe with child_process in CommandLine. Child process event for cmd.exe spawned by node.exe.

  3. Test 3JXA Execution on macOS

    Expected signal: Unified Log: osascript process with '-l JavaScript' flag. Process tree shows osascript spawning child process for whoami. MDE DeviceProcessEvents on managed macOS endpoints.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.005Visual BasicT1059.002AppleScriptT1218.005MshtaT1189Drive-by CompromiseT1566.001Spearphishing AttachmentT1027Obfuscated Files or InformationT1559.001Component Object Model

Same Tactic: Execution

Popular Detections