Description
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content (Citation: win10_asr).
Execution PreventionM1038
Denylist scripting where appropriate.
Disable or Remove Feature or ProgramM1042
Turn off or restrict access to unneeded scripting components.
Restrict Web-Based ContentM1021
Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
Threat Groups (26)
| ID | Group | Context |
|---|---|---|
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used various JavaScript-based backdoors.(Citation: ESET Turla Mosquito Jan 2018) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used JavaScript for drive-by downloads and C2 communications.(Citation: Cybereason Cobalt Kitty 201... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) has delivered malicious Microsoft Office files containing an embedded JavaScript object that would... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used malicious JavaScript to steal payment card data from e-commerce sites.(Citation: Trend Micro FI... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used JavaScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)(Ci... |
| G1019 | MoustachedBouncer | [MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used JavaScript to deliver malware hosted on HTML pages.(Citation: MoustachedBouncer ES... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used a fileless attack chain composed of three JavaScript code snippets to execute subsequent p... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used JavaScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) pay... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has manipulated legitimate websites to inject malicious JavaScript code as part of their watering... |
| G1037 | TA577 | [TA577](https://attack.mitre.org/groups/G1037) has used JavaScript to execute additional malicious payloads.(Citation: Latrodectus APR 2024) |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) delivered malicious JavaScript to exploit targets when exploiting Roundcube Webmail servers.(Ci... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used JS scripts.(Citation: Cyber Forensicator Silence Jan 2019) |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has leveraged JavaScript in the execution of their downloader malware targeting Windows ... |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used JavaScript in its attacks.(Citation: MalwareBytes LazyScripter Feb 2021) |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used JavaScript for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has executed JavaScript scriptlets on the victim's machine.(Citation: Talos Cobalt Group July 20... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used JavaScript to execute additional files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler H... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky Octobe... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used malicious JavaScript files for several components of their attack.(Citation: Symantec ... |
Associated Software (38)
| ID | Name | Type | Context |
|---|---|---|---|
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) has the ability to use JavaScript to execute PowerShell.(Citation: Malwarebytes Kimsuky June 2021... |
| S0154 | Cobalt Strike | Malware | The [Cobalt Strike](https://attack.mitre.org/software/S0154) System Profiler can use JavaScript to perform reconnaissance actions.(Citation: Talos Cob... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) includes payloads written in JavaScript.(Citation: Medium Metamorfo Apr 2020) |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has executed malicious JavaScript code.(Citation: Esentire ContagiousInterview BeaverTail Invisi... |
| S1144 | FRP | Tool | [FRP](https://attack.mitre.org/software/S1144) can support the use of a JSON configuration file.(Citation: FRP GitHub) |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) can inject JavaScript code into HTML content to customize phishing attacks.(Citation: Breakdev Ev... |
| S0228 | NanHaiShu | Malware | [NanHaiShu](https://attack.mitre.org/software/S0228) executes additional Jscript code on the victim's machine.(Citation: fsecure NanHaiShu July 2016) |
| S0650 | QakBot | Malware | The [QakBot](https://attack.mitre.org/software/S0650) web inject module can inject Java Script into web banking pages visited by the victim.(Citation:... |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) is distributed as a JavaScript launcher file.(Citation: Trustwave BlackByte 2021) |
| S0640 | Avaddon | Malware | [Avaddon](https://attack.mitre.org/software/S0640) has been executed through a malicious JScript downloader.(Citation: Hornet Security Avaddon June 20... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) has been distributed as a malicious JavaScript object.(Citation: PaloAlto StrelaStealer 2024)... |
| S0417 | GRIFFON | Malware | [GRIFFON](https://attack.mitre.org/software/S0417) is written in and executed as [JavaScript](https://attack.mitre.org/techniques/T1059/007).(Citation... |
| S1249 | HexEval Loader | Malware | [HexEval Loader](https://attack.mitre.org/software/S1249) has executed malicious JavaScript code.(Citation: Socket Contagious Interview NPM April 2025... |
| S1124 | SocGholish | Malware | The [SocGholish](https://attack.mitre.org/software/S1124) payload is executed as JavaScript.(Citation: SocGholish-update)(Citation: SentinelOne SocGho... |
| S0634 | EnvyScout | Malware | [EnvyScout](https://attack.mitre.org/software/S0634) can write files to disk with JavaScript using a modified version of the open-source tool FileSave... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) can execute JavaScript containing configuration data for establishing persistence.(Citation: Cybereas... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has used JavaScript files as part its infection chain during malicious spam email campaigns.(... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can use a JavaScript file as part of its execution chain.(Citation: ESET InvisiMole June 2020) |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) uses JavaScript to perform its core functionalities. (Citation: Cofense Astaroth Sept 2018)(Citati... |
| S0648 | JSS Loader | Malware | [JSS Loader](https://attack.mitre.org/software/S0648) can download and execute JavaScript files.(Citation: CrowdStrike Carbon Spider August 2021) |
Related CWE Weaknesses
References
- Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021.
- Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021.
- Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript …. Retrieved June 23, 2020.
- Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020.
- Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020.
- OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
- Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.
- Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021.
- Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021.
Frequently Asked Questions
What is T1059.007 (JavaScript)?
T1059.007 is a MITRE ATT&CK technique named 'JavaScript'. It belongs to the Execution tactic(s). Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scri...
How can T1059.007 be detected?
Detection of T1059.007 (JavaScript) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.007?
There are 4 documented mitigations for T1059.007. Key mitigations include: Behavior Prevention on Endpoint, Execution Prevention, Disable or Remove Feature or Program, Restrict Web-Based Content.
Which threat groups use T1059.007?
Known threat groups using T1059.007 include: Turla, APT32, Saint Bear, FIN6, Sidewinder, MoustachedBouncer, APT-C-36, MuddyWater.