Attackers may be using obfuscated JavaScript to execute malicious payloads, evading traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware campaigns that leverage JavaScript-based attacks.
KQL Query
// Find potentially malicious .jse launch by File Explorer or Word
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("explorer.exe","winword.exe")
and FileName =~ "wscript.exe"
and ProcessCommandLine contains ".jse"
id: da127884-b65b-4ccf-b178-320d9cac3e15
name: jse-launched-by-word
description: |
This query was originally published in the threat analytics report, Emulation-evading JavaScripts.
Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments.
The following query detects when Word or File Explorer have launched files with a .jse extension. Attackers involved in various human-operated campaigns have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot.
See Detect .jse file creation events for a similar technique.
Reference - https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Initial access
- Execution
- Defense evasion
query: |
// Find potentially malicious .jse launch by File Explorer or Word
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("explorer.exe","winword.exe")
and FileName =~ "wscript.exe"
and ProcessCommandLine contains ".jse"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate JavaScript Execution via Word Document
Description: A user opens a Word document that contains embedded JavaScript, which is used to automate a common administrative task, such as generating a report or exporting data.
Filter/Exclusion: process.name != "winword.exe" OR process.parent.name != "winword.exe"
Note: This would exclude JavaScript execution that is part of a Word document, which is common in legitimate workflows.
Scenario: Scheduled Job Using JavaScript for Data Processing
Description: A scheduled task runs a JavaScript script (e.g., via Node.js or a script runner) to process data from a database or generate reports.
Filter/Exclusion: process.name != "node.exe" OR process.parent.name != "schtasks.exe"
Note: This would exclude legitimate scheduled jobs that use JavaScript for automation.
Scenario: Admin Task Using JavaScript for System Monitoring
Description: A system administrator uses a custom JavaScript tool (e.g., a script written in Node.js) to monitor system performance or log events.
Filter/Exclusion: process.name != "node.exe" OR process.parent.name != "explorer.exe" AND process.parent.name != "services.exe"
Note: This would exclude legitimate admin tools that use JavaScript for monitoring.
Scenario: Email Client Rendering JavaScript for HTML Emails
Description: An email client (e.g., Microsoft Outlook) renders an HTML email that contains JavaScript for formatting or embedding images.
Filter/Exclusion: process.name != "outlook.exe" OR process.parent.name != "msedge.exe"
Note: This would exclude JavaScript execution that occurs as part of email rendering.
Scenario: Web Browser Extension Using JavaScript for Automation
Description: A browser extension (e.g., a productivity tool) uses JavaScript