Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique JavaScript
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
JavaScript
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Command and Scripting Interpreter:  JavaScript

ID Name
.001 PowerShell
.002 AppleScript
.003 Windows Command Shell
.004 Unix Shell
.005 Visual Basic
.006 Python
.007 JavaScript
.008 Network Device CLI

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS) JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts) JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode) Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.

ID: T1059.007
Sub-technique of:  T1059
Tactic(s): Execution
Platforms: Linux, macOS, Windows
Permissions Required: Administrator, SYSTEM, User
Data Sources: Command: Command Execution, Module: Module Load, Process: Process Creation, Script: Script Execution
Version: 2.1
Created: 23 Jun 2020
Last Modified: 16 Aug 2021

Procedure Examples
Name Description
AppleSeed

AppleSeed has the ability to use JavaScript to execute PowerShell.(Citation: Malwarebytes Kimsuky June 2021)
Cobalt Strike

The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.(Citation: Talos Cobalt Strike September 2020)
Metamorfo

Metamorfo includes payloads written in JavaScript.(Citation: Medium Metamorfo Apr 2020)

Turla

Turla has used various JavaScript-based backdoors.(Citation: ESET Turla Mosquito Jan 2018)

APT32

APT32 has used JavaScript for drive-by downloads and C2 communications.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)
NanHaiShu

NanHaiShu executes additional Jscript code on the victim's machine.(Citation: fsecure NanHaiShu July 2016)
FIN6

FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.(Citation: Trend Micro FIN6 October 2019)
Sidewinder

Sidewinder has used JavaScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020)
QakBot

The QakBot web inject module can inject Java Script into web banking pages visited by the victim.(Citation: Kaspersky QakBot September 2021)
Avaddon

Avaddon has been executed through a malicious JScript downloader.(Citation: Hornet Security Avaddon June 2020)(Citation: Awake Security Avaddon)
MuddyWater

MuddyWater has used JavaScript files to execute its POWERSTATS payload.(Citation: ClearSky MuddyWater Nov 2018)(Citation: FireEye MuddyWater Mar 2018)(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Earth Lusca

Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022)
GRIFFON

GRIFFON is written in and executed as JavaScript.(Citation: SecureList Griffon May 2019)

Silence

Silence has used JS scripts.(Citation: Cyber Forensicator Silence Jan 2019)
LazyScripter

LazyScripter has used JavaScript in its attacks.(Citation: MalwareBytes LazyScripter Feb 2021)

EnvyScout

EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.(Citation: MSTIC Nobelium Toolset May 2021)
Valak

Valak can execute JavaScript containing configuration data for establishing persistence.(Citation: Cybereason Valak May 2020)
TA505

TA505 has used JavaScript for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)
InvisiMole

InvisiMole can use a JavaScript file as part of its execution chain.(Citation: ESET InvisiMole June 2020)
Astaroth

Astaroth uses JavaScript to perform its core functionalities. (Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)
FIN7

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)
JSS Loader

JSS Loader can download and execute JavaScript files.(Citation: CrowdStrike Carbon Spider August 2021)
Donut

Donut can generate shellcode outputs that execute via JavaScript or JScript.(Citation: Donut Github)

Xbash

Xbash can execute malicious JavaScript payloads on the victim’s machine.(Citation: Unit42 Xbash Sept 2018)
Cobalt Group

Cobalt Group has executed JavaScript scriptlets on the victim's machine.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
Higaisa

Higaisa used JavaScript to execute additional files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)
Kimsuky

Kimsuky has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)
Ember Bear

Ember Bear has used JavaScript to execute malicious code on a victim's machine.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
jRAT

jRAT has been distributed as HTA files with JScript.(Citation: Kaspersky Adwind Feb 2016)

SpicyOmelette

SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.(Citation: Secureworks GOLD KINGSWOOD September 2018)
Indrik Spider

Indrik Spider has used malicious JavaScript files for several components of their attack.(Citation: Symantec WastedLocker June 2020)
POWERSTATS

POWERSTATS can use JavaScript code for execution.(Citation: ClearSky MuddyWater Nov 2018)
Molerats

Molerats used various implants, including those built with JS, on target machines.(Citation: Kaspersky MoleRATs April 2019)

Chaes

Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.(Citation: Cybereason Chaes Nov 2020)
Leafminer

Leafminer infected victims using JavaScript code.(Citation: Symantec Leafminer July 2018)

During Operation Dust Storm, the threat actors used JavaScript code.(Citation: Cylance Dust Storm)
Bundlore

Bundlore can execute JavaScript by injecting it into the victim's browser.(Citation: MacKeeper Bundlore Apr 2019)
Evilnum

Evilnum has used malicious JavaScript files on the victim's machine.(Citation: ESET EvilNum July 2020)
KONNI

KONNI has executed malicious JavaScript code.(Citation: Malwarebytes Konni Aug 2021)

During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code.(Citation: DFIR Conti Bazar Nov 2021)
DarkWatchman

DarkWatchman uses JavaScript to perform its core functionalities.(Citation: Prevailion DarkWatchman 2021)

Mitigations
Mitigation Description
Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.
Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Detection

Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References

  1. Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021.
  2. Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021.
  3. Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.
  4. Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021.
  5. Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021.
  6. Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020.
  7. Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript …. Retrieved June 23, 2020.
  8. Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020.
  9. OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
  10. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  11. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  12. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  13. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  14. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  15. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  16. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  17. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  18. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  19. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  20. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  21. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  22. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  23. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  24. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  25. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  26. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  27. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  28. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  29. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  30. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  31. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  32. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  33. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  34. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  35. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  36. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  37. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  38. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  39. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  40. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  41. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  42. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  43. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  44. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  45. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  46. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  47. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  48. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  49. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  50. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  51. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  52. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  53. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  54. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  55. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  56. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  57. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  58. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  59. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  60. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  61. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  62. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  63. Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.
  64. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
  65. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  66. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.