Attachment: File execution via Javascript
Javascript contains identifiers or strings that may attempt to execute files.
Sublime rule (View on GitHub)
1name: "Attachment: File execution via Javascript"
2description: |
3 Javascript contains identifiers or strings that may attempt to execute files.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(attachments,
9 .file_type in $file_extensions_common_archives
10 and any(file.explode(.),
11 any(.scan.javascript.identifiers,
12 strings.ilike(., 'ActiveXObject', 'ShellExecute')
13 )
14 or (
15 length(.scan.javascript.strings) > 0
16 and all(.scan.javascript.strings,
17 strings.ilike(., 'Shell.Application', '*.exe')
18 )
19 )
20 )
21 )
22tags:
23 - "Attack surface reduction"
24attack_types:
25 - "Malware/Ransomware"
26tactics_and_techniques:
27 - "Evasion"
28 - "Scripting"
29detection_methods:
30 - "Archive analysis"
31 - "File analysis"
32 - "Javascript analysis"
33 - "Sender analysis"
34id: "627ae0b1-fbe7-58cf-ba7d-0cf51b806c8a"
Related rules
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Service abuse: Facebook business with action required subject
- Attachment: ICS file with links to newly registered domains
- Service abuse: Google Firebase sender address with suspicious content
- Link: Apple TestFlight from suspicious sender