Attachment: File execution via Javascript

calendar Dec 19, 2023 · Attack surface reduction  ·
Share on: linkedin copy

Javascript contains identifiers or strings that may attempt to execute files.

Sublime rule (View on GitHub)

 1name: "Attachment: File execution via Javascript"
 2description: |
 3    Javascript contains identifiers or strings that may attempt to execute files.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          .file_type in $file_extensions_common_archives
10          and any(file.explode(.),
11                  any(.scan.javascript.identifiers, strings.ilike(., 'ActiveXObject', 'ShellExecute'))
12                  or (
13                    length(.scan.javascript.strings) > 0
14                    and all(.scan.javascript.strings, strings.ilike(., 'Shell.Application', '*.exe'))
15                  )
16          )
17  )
18  and (
19    profile.by_sender().prevalence in ("new", "outlier")
20    or profile.by_sender().any_messages_malicious_or_spam
21  )
22  and not profile.by_sender().any_false_positives
23    
24tags:
25  - "Attack surface reduction"
26attack_types:
27  - "Malware/Ransomware"
28tactics_and_techniques:
29  - "Evasion"
30  - "Scripting"
31detection_methods:
32  - "Archive analysis"
33  - "File analysis"
34  - "Javascript analysis"
35  - "Sender analysis"
36id: "627ae0b1-fbe7-58cf-ba7d-0cf51b806c8a"

Related rules

to-top