title: JavaScript (T1059.007)
id: df00tech-t1059-007
status: experimental
description: "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language commonly associated with web pages, but can also execute in runtime environments outside the browser. JScript is Microsoft's implementation interpreted via the Windows Script engine. JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included in Apple's Open Scripting Architecture. Adversaries abuse JS for drive-by compromises, malicious email attachments (.js files), HTA-based payloads, and post-exploitation on macOS via JXA. Threat actors including APT32, TA505, Contagious Interview, and FIN6 use JavaScript extensively."
references:
  - https://attack.mitre.org/techniques/T1059/007/
  - https://df00tech.com/detections/T1059.007
author: df00tech
date: 2026/04/16
tags:
  - attack.t1059.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Developers running Node.js applications on their workstations or servers
  - IT automation scripts using JScript/WSF for system administration tasks
  - macOS developers using JXA for application automation and testing
  - Build systems and CI/CD pipelines that invoke Node.js
level: high