-
Notifications
You must be signed in to change notification settings - Fork 6
/
attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d.json
62 lines (62 loc) · 4.52 KB
/
attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
{
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1059.007",
"url": "https://attack.mitre.org/techniques/T1059/007"
},
{
"source_name": "NodeJS",
"url": "https://nodejs.org/",
"description": "OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020."
},
{
"source_name": "JScrip May 2018",
"url": "https://docs.microsoft.com/windows/win32/com/translating-to-jscript",
"description": "Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020."
},
{
"source_name": "Microsoft JScript 2007",
"url": "https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript",
"description": "Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript \u2026. Retrieved June 23, 2020."
},
{
"source_name": "Microsoft Windows Scripts",
"url": "https://docs.microsoft.com/scripting/winscript/windows-script-interfaces",
"description": "Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020."
}
],
"created_by_ref": "The MITRE Corporation",
"name": "JavaScript/JScript",
"description": "Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nAdversaries may abuse JavaScript / JScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
"id": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"modified": "2020-06-25T03:23:13.804Z",
"created": "2020-06-23T19:12:24.924Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
"x_mitre_detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
"x_mitre_data_sources": [
"Loaded DLLs",
"DLL monitoring",
"File monitoring",
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
]
}