sigmalowHunting

Suspicious Deno File Written from Remote Source

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

MITRE ATT&CK

T1204 T1059.007 T1105

executioncommand-and-control

Detection Query

selection_path:
  TargetFilename|contains:
    - \deno\gen\
    - \deno\remote\https\
  TargetFilename|contains|all:
    - :\Users\
    - \AppData\
condition: selection_path

Author

Josh Nickels, Michael Taggart

Created

2025-05-22

Data Sources

windowsFile Events

Platforms

windows

References

https://taggart-tech.com/evildeno/

Tags

attack.executionattack.t1204attack.t1059.007attack.command-and-controlattack.t1105

Raw Content

title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
    Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
    This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
    - https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1204
    - attack.t1059.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: file_event
    product: windows
detection:
    selection_path:
        TargetFilename|contains:
            - '\deno\gen\'
            - '\deno\remote\https\'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
    condition: selection_path
falsepositives:
    - Legitimate usage of deno to request a file or bring a DLL to a host
level: low