The detection rule identifies potential malicious JavaScript activity that may indicate an adversary attempting to execute arbitrary code or exfiltrate data through script-based attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage threats that could escalate into more severe compromises.
YARA Rule
rule suspicious_js : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/OpenAction /
$attrib1 = /\/JavaScript /
$js0 = "eval"
$js1 = "Array"
$js2 = "String.fromCharCode"
condition:
$magic in (0..1024) and all of ($attrib*) and 2 of ($js*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate a routine system cleanup task.
Filter/Exclusion: Exclude processes where the command line contains powershell.exe and the script path is in a known admin directory (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: A developer is using Webpack to bundle frontend JavaScript for a web application.
Filter/Exclusion: Exclude processes where the command line includes webpack and the working directory is within a known development project folder (e.g., C:\dev\myapp\).
Scenario: A scheduled job is running Node.js to process logs or generate reports.
Filter/Exclusion: Exclude processes where the executable is node.exe and the command line includes --schedule or --cron flags, or the working directory is in a known job directory (e.g., C:\ScheduledJobs\).
Scenario: A system update or patching tool is using JavaScript via a tool like Chocolatey or Scoop to execute scripts.
Filter/Exclusion: Exclude processes where the command line includes choco or scoop and the script path is in a known package directory (e.g., C:\ProgramData\chocolatey\).
Scenario: An IT team is using Jenkins or GitHub Actions to run CI/CD pipelines that include JavaScript build steps.
Filter/Exclusion: Exclude processes where the command line includes jenkins or github-actions and the working directory is within a known CI/CD pipeline directory (e.g., C:\Jenkins\workspace\).