Attachment: File execution via Javascript

Aug 21, 2023 · Attack surface reduction ·

Javascript contains identifiers or strings that may attempt to execute files.

Sublime rule (View on GitHub)

 1name: "Attachment: File execution via Javascript"
 2description: |
 3    Javascript contains identifiers or strings that may attempt to execute files.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          .file_type in $file_extensions_common_archives
10          and any(beta.binexplode(.),
11                  any(.scan.javascript.identifiers, strings.ilike(., 'ActiveXObject', 'ShellExecute'))
12                  or (
13                    length(.scan.javascript.strings) > 0
14                    and all(.scan.javascript.strings, strings.ilike(., 'Shell.Application', '*.exe'))
15                  )
16          )
17  )
18  // first-time sender
19  and (
20    (
21      sender.email.domain.root_domain in $free_email_providers
22      and sender.email.email not in $sender_emails
23    )
24    or (
25      sender.email.domain.root_domain not in $free_email_providers
26      and sender.email.domain.domain not in $sender_domains
27    )
28  )  
29tags:
30  - "Attack surface reduction"
31attack_types:
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Evasion"
35  - "Scripting"
36detection_methods:
37  - "Archive analysis"
38  - "File analysis"
39  - "Javascript analysis"
40  - "Sender analysis"
41id: "627ae0b1-fbe7-58cf-ba7d-0cf51b806c8a"

Attachment: File execution via Javascript

Sublime rule (View on GitHub)

Related rules