JavaScript was introduced in v1.3

Hunt Hypothesis

The detection of JavaScript being introduced in version 1.3 may indicate the presence of malicious scripts or unauthorized modifications to legitimate applications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential script-based attacks or tampering with application assets.

YARA Rule

rule js_wrong_version : PDF raw
{
	meta:
		author = "Glenn Edwards (@hiddenillusion)"
		description = "JavaScript was introduced in v1.3"
		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
		version = "0.1"
		weight = 2
		
        strings:
                $magic = { 25 50 44 46 }
				$js = /\/JavaScript/
				$ver = /%PDF-1\.[3-9]/

        condition:
                $magic in (0..1024) and $js and not $ver
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator uses PowerShell to generate a report that includes a JavaScript snippet for data formatting.
  Filter/Exclusion: Exclude events where the script is executed via PowerShell and the file path contains PowerShell or ps1.

• Scenario: A scheduled job runs a legacy application that dynamically generates HTML content with embedded JavaScript for client-side rendering.
  Filter/Exclusion: Exclude events where the process is associated with a scheduled task named LegacyAppScheduler or the command line includes --generate-html.

• Scenario: A web server (e.g., Apache or Nginx) logs JavaScript errors from client-side scripts due to malformed requests or browser compatibility issues.
  Filter/Exclusion: Exclude events where the source IP is from an internal network or the user-agent string indicates a browser.

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) runs a build script that includes JavaScript for automation, such as testing or linting.
  Filter/Exclusion: Exclude events where the process is associated with a CI/CD tool or the command line includes --ci or --build.

• Scenario: An IT support tool (e.g., ServiceNow, Zendesk) uses JavaScript in its UI to enhance user interaction, which may be logged in system event logs.
  Filter/Exclusion: Exclude events where the process name includes ServiceNow, Zendesk, or the event source is related to a support platform.