detect-jscript-file-creation

Hunt Hypothesis

The detection of a .jse file creation in the environment may indicate the presence of obfuscated JavaScript used for initial compromise or payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial activity that could lead to persistent access or data exfiltration.

KQL Query

// Creation of any .jse file, including legitimate and malicious ones 
DeviceFileEvents 
| where Timestamp > ago(7d)
| where FileName endswith ".jse"

Analytic Rule Definition

id: 7913cb78-0e5a-4c4c-ab5b-31ef823ba25b
name: detect-jscript-file-creation
description: |
  This query was originally published in the threat analytics report, Emulation-evading JavaScripts.
  Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments.
  The following query detects the creation of files with a .jse extension. Certain ransomware campaigns, such as Emotet, are known to employ encrypted JavaScript code that is saved to the target as .jse files.
  See Detect potentially malicious .jse launch by File Explorer or Word for a similar technique.
  Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Execution
- Defense evasion
query: |
  // Creation of any .jse file, including legitimate and malicious ones 
  DeviceFileEvents 
  | where Timestamp > ago(7d)
  | where FileName endswith ".jse"

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Defense evasion

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Delivery/detect-jscript-file-creation.yaml)

False Positive Guidance

Scenario: Scheduled Job for System Maintenance
Description: A legitimate system maintenance task creates a .jse file as part of a scheduled job to generate temporary scripts for system diagnostics.
Filter/Exclusion: process.name == "schtasks.exe" OR file.name == "maintenance_script.jse"
Scenario: User-Initiated Script Generation via PowerShell
Description: A system administrator uses PowerShell to generate a .jse file as part of a script automation task, such as creating a backup or configuration file.
Filter/Exclusion: process.name == "powershell.exe" AND user.name == "admin_user"
Scenario: Antivirus Quarantine File Creation
Description: An antivirus tool creates a .jse file in quarantine as part of its scanning process, which is then renamed or moved by the system.
Filter/Exclusion: process.name == "avast.exe" OR file.path == "C:\\Windows\\Temp\\quarantine\\*"
Scenario: Microsoft Office Macro File Conversion
Description: A user converts an .xls file to a .jse format using Microsoft Office, which may trigger the rule due to the file extension.
Filter/Exclusion: process.name == "excel.exe" OR file.path == "C:\\Users\\*\\Documents\\*.xls"
Scenario: Development Environment File Creation
Description: A developer creates a .jse file as part of a development task, such as testing a script or integrating with a legacy system.
Filter/Exclusion: process.name == "devenv.exe" OR file.path == "C:\\Dev\\scripts\\*"