These are commonly used to split up JS code

Hunt Hypothesis

The detection identifies potential obfuscation techniques used by adversaries to split and hide JavaScript code, which may be part of a larger malicious payload. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to more sophisticated attacks.

YARA Rule

rule js_splitting : PDF raw
{
        meta:
                author = "Glenn Edwards (@hiddenillusion)"
                version = "0.1"
                description = "These are commonly used to split up JS code"
                weight = 2
                
        strings:
                $magic = { 25 50 44 46 }
				$js = /\/JavaScript/
                $s0 = "getAnnots"
                $s1 = "getPageNumWords"
                $s2 = "getPageNthWord"
                $s3 = "this.info"
                                
        condition:
                $magic in (0..1024) and $js and 1 of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A developer is using Webpack to bundle JavaScript modules, which often includes splitting code into chunks using splitChunks or similar configurations.
  Filter/Exclusion: Exclude events related to webpack or splitChunks in the detection logic, or filter by process names like webpack or webpack-cli.

• Scenario: A scheduled job runs Babel to transpile JavaScript code, which may involve splitting or transforming code into separate files.
  Filter/Exclusion: Exclude processes associated with Babel (e.g., babel or babel-cli) or filter by job names that include “transpile” or “build”.

• Scenario: System administrators use npm scripts to run build tools like Rollup or Parcel, which may split JavaScript code during the build process.
  Filter/Exclusion: Exclude npm scripts that include build tools like rollup or parcel, or filter by command-line arguments containing --split or similar flags.

• Scenario: CI/CD pipelines (e.g., GitHub Actions, Jenkins) execute TypeScript compilation using tsc, which may generate multiple output files as part of the build.
  Filter/Exclusion: Exclude events related to CI/CD pipelines or processes named tsc, or filter by environment variables like CI or GITHUB_ACTIONS.

• Scenario: Legacy systems use AMD (Asynchronous Module Definition) or RequireJS to dynamically load modules, which may split code into multiple files.
  Filter/Exclusion: Exclude processes or files associated with requirejs or AMD, or filter by file extensions like .js or .amd.