EXPLORE
Sign In
← Back to Explore
T1059.007

JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS) JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Com...

LinuxmacOSWindows
58
Detections
3
Sources
25
Threat Actors

BY SOURCE

33elastic21sigma4splunk_escu

PROCEDURES (39)

Download5 detections

Auto-extracted: 5 detections for download

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

C22 detections

Auto-extracted: 2 detections for c2

Remote2 detections

Auto-extracted: 2 detections for remote

Unusual2 detections

Auto-extracted: 2 detections for unusual

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Remote2 detections

Auto-extracted: 2 detections for remote

Bypass2 detections

Auto-extracted: 2 detections for bypass

File Monitoring2 detections

Auto-extracted: 2 detections for file monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Http1 detections

Auto-extracted: 1 detections for http

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Cloud1 detections

Auto-extracted: 1 detections for cloud

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Http1 detections

Auto-extracted: 1 detections for http

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Child Process1 detections

Auto-extracted: 1 detections for child process

Http1 detections

Auto-extracted: 1 detections for http

Child Process1 detections

Auto-extracted: 1 detections for child process

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Lateral1 detections

Auto-extracted: 1 detections for lateral

Wmi1 detections

Auto-extracted: 1 detections for wmi

Child Process1 detections

Auto-extracted: 1 detections for child process

Wmi1 detections

Auto-extracted: 1 detections for wmi

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

C21 detections

Auto-extracted: 1 detections for c2

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Cloud1 detections

Auto-extracted: 1 detections for cloud

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Inject1 detections

Auto-extracted: 1 detections for inject

THREAT ACTORS (25)

APT32Cobalt GroupContagious InterviewEarth LuscaEvilnumFIN6FIN7HigaisaIndrik SpiderKimsukyLazyScripterLeafminerMoleratsMoustachedBouncerMuddyWaterMustang PandaSaint BearSidewinderSilenceStar BlizzardTA505TA577TA578TurlaWinter Vivern

DETECTIONS (58)

Adwind RAT / JRAT File Artifact
sigmahigh
AppLocker Prevented Application or Script from Running
sigmamedium
Command and Scripting Interpreter via Windows Scripts
elastichigh
Csc.EXE Execution Form Potentially Suspicious Parent
sigmahigh
Cscript/Wscript Uncommon Script Extension Execution
sigmahigh
Execution of a Downloaded Windows Script
elasticmedium
Execution via Electron Child Process Node.js Module
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Google Calendar C2 via Script Interpreter
elastichigh
HackTool - CACTUSTORCH Remote Thread Creation
sigmahigh
HackTool - Koadic Execution
sigmahigh
HTML Help HH.EXE Suspicious Child Process
sigmahigh
Jscript Execution Using Cscript App
splunk_escu
JXA In-memory Execution Via OSAScript
sigmahigh
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Management Console File from Unusual Path
elasticmedium
MS Scripting Process Loading Ldap Module
splunk_escu
MS Scripting Process Loading WMI Module
splunk_escu
MSHTA Execution with Suspicious File Extensions
sigmahigh
Node Process Executions
sigmamedium
Node.js Pre or Post-Install Script Execution
elasticmedium
NodeJS Execution of JavaScript File
sigmalow
Potential Dropper Script Execution Via WScript/CScript
sigmamedium
Potential Etherhiding C2 via Blockchain Connection
elastichigh
Potential In-Memory Download And Compile Of Payloads
sigmamedium
Potential JAVA/JNDI Exploitation Attempt
elastichigh
Potential Remote SquiblyTwo Technique Execution
sigmahigh
Potential SAP NetWeaver Exploitation
elastichigh
Potential SAP NetWeaver WebShell Creation
elastichigh
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
sigmamedium
React2Shell (CVE-2025-55182) Exploitation Attempt
elastichigh
React2Shell Network Security Alert
elastichigh
Remote File Download via Script Interpreter
elasticmedium
Remote XSL Script Execution via COM
elasticlow
Script Execution via Microsoft HTML Application
elastichigh
Script Interpreter Connection to Non-Standard Port
elasticmedium
Script Interpreter Spawning Credential Scanner - Windows
sigmahigh
Suspicious .NET Code Compilation
elasticmedium
Suspicious Automator Workflows Execution
elasticmedium
Suspicious AWS S3 Connection via Script Interpreter
elasticmedium
Suspicious Curl to Jamf Endpoint
elastichigh
Suspicious Deno File Written from Remote Source
sigmalow
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious Execution with NodeJS
elastichigh
Suspicious HH.EXE Execution
sigmahigh
Suspicious Installer Package Child Process
sigmamedium
Suspicious Installer Package Spawns Network Event
elasticmedium
Suspicious JavaScript Execution via Deno
elastichigh
Suspicious React Server Child Process
elastichigh
Unusual Process Spawned from Web Server Parent
elasticlow
Web Shell Detection: Script Process Child of Common Web Processes
elastichigh
Windows Cmdline Tool Execution From Non-Shell Process
splunk_escu
Windows Script Executing PowerShell
elasticlow
Windows Script Execution from Archive
elasticmedium
Windows Script Interpreter Executing Process via WMI
elasticmedium
WScript or CScript Dropper - File
sigmahigh
XSL Script Execution Via WMIC.EXE
sigmamedium