Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.[1]
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.[2][3][4]
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript
, they can be compiled into applications or script files via osacompile
, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.[5][6][7][8][9]
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.
ID | Name | Description |
---|---|---|
S0622 | AppleSeed |
AppleSeed has the ability to use JavaScript to execute PowerShell.[10] |
G0050 | APT32 |
APT32 has used JavaScript for drive-by downloads and C2 communications.[11][12] |
S0373 | Astaroth |
Astaroth uses JavaScript to perform its core functionalities. [13][14] |
S0640 | Avaddon |
Avaddon has been executed through a malicious JScript downloader.[15][16] |
S0482 | Bundlore |
Bundlore can execute JavaScript by injecting it into the victim's browser.[17] |
C0015 | C0015 |
During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code.[18] |
C0017 | C0017 |
During C0017, APT41 deployed JScript web shells on compromised systems.[19] |
S0631 | Chaes |
Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.[20] |
G0080 | Cobalt Group |
Cobalt Group has executed JavaScript scriptlets on the victim's machine.[21][22][23][24][25][26] |
S0154 | Cobalt Strike |
The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.[27] |
S0673 | DarkWatchman |
DarkWatchman uses JavaScript to perform its core functionalities.[28] |
S0695 | Donut |
Donut can generate shellcode outputs that execute via JavaScript or JScript.[29] |
G1006 | Earth Lusca |
Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.[30] |
G1003 | Ember Bear |
Ember Bear has used JavaScript to execute malicious code on a victim's machine.[31] |
S0634 | EnvyScout |
EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.[32] |
G0120 | Evilnum |
Evilnum has used malicious JavaScript files on the victim's machine.[33] |
G0037 | FIN6 |
FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.[34] |
G0046 | FIN7 |
FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[35][36][35] |
S0417 | GRIFFON |
GRIFFON is written in and executed as JavaScript.[37] |
G0126 | Higaisa |
Higaisa used JavaScript to execute additional files.[38][39][40] |
G0119 | Indrik Spider |
Indrik Spider has used malicious JavaScript files for several components of their attack.[41] |
S0260 | InvisiMole |
InvisiMole can use a JavaScript file as part of its execution chain.[42] |
S0283 | jRAT | |
S0648 | JSS Loader |
JSS Loader can download and execute JavaScript files.[44] |
G0094 | Kimsuky |
Kimsuky has used JScript for logging and downloading additional tools.[45][46] |
S0356 | KONNI | |
S1075 | KOPILUWAK |
KOPILUWAK had used Javascript to perform its core functions.[48] |
G0140 | LazyScripter |
LazyScripter has used JavaScript in its attacks.[49] |
G0077 | Leafminer | |
S0455 | Metamorfo | |
G0021 | Molerats |
Molerats used various implants, including those built with JS, on target machines.[52] |
G1019 | MoustachedBouncer |
MoustachedBouncer has used JavaScript to deliver malware hosted on HTML pages.[53] |
G0069 | MuddyWater |
MuddyWater has used JavaScript files to execute its POWERSTATS payload.[54][55][56] |
S0228 | NanHaiShu |
NanHaiShu executes additional Jscript code on the victim's machine.[57] |
C0016 | Operation Dust Storm |
During Operation Dust Storm, the threat actors used JavaScript code.[58] |
S0223 | POWERSTATS |
POWERSTATS can use JavaScript code for execution.[54] |
S0650 | QakBot |
The QakBot web inject module can inject Java Script into web banking pages visited by the victim.[59][60] |
G0121 | Sidewinder |
Sidewinder has used JavaScript to drop and execute malware loaders.[61][62] |
G0091 | Silence | |
S1124 | SocGholish |
The SocGholish payload is executed as JavaScript.[64][65][66][67] |
S0646 | SpicyOmelette |
SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.[68] |
G0092 | TA505 | |
G0010 | Turla | |
S0476 | Valak |
Valak can execute JavaScript containing configuration data for establishing persistence.[72] |
S1116 | WARPWIRE |
WARPWIRE is a credential harvester written in JavaScript.[73] |
S0341 | Xbash |
Xbash can execute malicious JavaScript payloads on the victim’s machine.[74] |
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content [75]. |
M1042 | Disable or Remove Feature or Program |
Turn off or restrict access to unneeded scripting components. |
M1038 | Execution Prevention |
Denylist scripting where appropriate. |
M1021 | Restrict Web-Based Content |
Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through |
DS0011 | Module | Module Load |
Monitor for the loading of modules associated with scripting languages (ex: JScript.dll). |
DS0009 | Process | Process Creation |
Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts |
DS0012 | Script | Script Execution |
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |