T1059.007
Command and Scripting Interpreter: JavaScript
Description from ATT&CK
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.
Atomic Tests
Atomic Test #1 - JScript execution to gather local computer information via cscript
JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt
Supported Platforms: windows
auto_generated_guid: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| jscript | Path to sample script | string | PathToAtomicsFolder\T1059.007\src\sys_info.js |
Attack Commands: Run with command_prompt!
1
2
cscript "#{jscript}" > %tmp%\T1059.007.out.txt
Cleanup Commands:
1
del %tmp%\T1059.007.out.txt >nul 2>&1
Dependencies: Run with powershell!
Description: Sample script must exist on disk at specified location (#{jscript}) Check Prereq Commands:
1
2
if (Test-Path "#{jscript}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -ItemType Directory (Split-Path "#{jscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
Atomic Test #2 - JScript execution to gather local computer information via wscript
JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes.
Supported Platforms: windows
auto_generated_guid: 0709945e-4fec-4c49-9faf-c3c292a74484
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| jscript | Path to sample script | string | PathToAtomicsFolder\T1059.007\src\sys_info.js |
Attack Commands: Run with command_prompt!
1
2
wscript "#{jscript}"
Dependencies: Run with powershell!
Description: Sample script must exist on disk at specified location (#{jscript}) Check Prereq Commands:
1
2
if (Test-Path "#{jscript}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -ItemType Directory (Split-Path "#{jscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"