Suspicious Deno File Written from Remote Source
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
Sigma rule (View on GitHub)
1title: Suspicious Deno File Written from Remote Source
2id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
3status: experimental
4description: |
5 Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
6 This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
7references:
8 - https://taggart-tech.com/evildeno/
9author: Josh Nickels, Michael Taggart
10date: 2025-05-22
11tags:
12 - attack.execution
13 - attack.t1204
14 - attack.t1059.007
15 - attack.command-and-control
16 - attack.t1105
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection_path:
22 TargetFilename|contains:
23 - '\deno\gen\'
24 - '\deno\remote\https\'
25 TargetFilename|contains|all:
26 - ':\Users\'
27 - '\AppData\'
28 condition: selection_path
29falsepositives:
30 - Legitimate usage of deno to request a file or bring a DLL to a host
31level: low
References
-
Deno offers a wonderful developer experience for those who work in the Node ecosystem. Turns out, it also offers a great deal for offensive security researchers—and the bad guys.
Read More
Related rules
- Potential In-Memory Download And Compile Of Payloads
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- File Download From IP Based URL Via CertOC.EXE
- Command Line Execution with Suspicious URL and AppData Strings
- Greenbug Espionage Group Indicators