Command and Scripting Interpreter: JavaScript `T1059.007`

Tactic: Execution

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

Events covered

16 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 8	CreateRemoteThread
Sysmon	Event ID 11	FileCreate
Security-Auditing	Event ID 4663	An attempt was made to access an object.
Security-Auditing	Event ID 4688	A new process has been created.
Defender-DeviceEvents	ClrUnbackedModuleLoaded	CLR unbacked module loaded
ESF	exec	Process Execution (Notify)
ESF	write	File Write (NOTIFY)
AppLocker	Event ID 8004	FilePathBuffer was prevented from running.
AppLocker	Event ID 8007	FilePathBuffer was prevented from running.
AppLocker	Event ID 8022	PackageBuffer was prevented from running.
AppLocker	Event ID 8025	PackageBuffer was prevented from running.
DotNETRuntime	Event ID 152	ModuleID=ModuleID.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 70 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (64 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`process_name`	32	`eq` 19, `in` 10, `starts_with` 6, `wildcard` 5, `regex_match` 2, `ends_with` 1	`bash`, `cscript.exe`, `node`, `cmd.exe`, `curl`
`event.type`	29	`eq` 27, `in` 2	`start`, `process_started`, `creation`
`CommandLine`	27	`contains` 20, `wildcard` 4, `regex_match` 2, `ends_with` 1, `is_not_null` 1	`.js`, `(?i)(w\|c)script.{1,}?\.\w{2,4}`, `eval(`, `.bat`, `://`
`Image`	24	`ends_with` 17, `wildcard` 3, `in` 2, `starts_with` 2	`\cscript.exe`, `\wscript.exe`, `\\cscript.exe`, `\\wscript.exe`, `/dev/shm/`
`parent_process_name`	23	`eq` 15, `in` 7, `regex_match` 2, `starts_with` 2	`cscript.exe`, `mshta.exe`, `node`, `((?i)(powershell\.exe)\|(cmd\.exe)\|(services\.exe)\|(dllhos...`, `7zFM.exe`
`EventType`	16	`eq` 12, `in` 3, `starts_with` 1	`exec`, `start`, `ProcessRollup2`, `creation`, `ClrUnbackedModuleLoaded`
`OriginalFileName`	15	`eq` 15	`cmd.exe`, `cscript.exe`, `node.exe`, `wmic.exe`, `wscript.exe`
`host.os.type`	12	`eq` 9, `in` 3
`process.args`	10	`eq` 5, `wildcard` 4, `ends_with` 2, `contains` 1, `is_not_null` 1, `starts_with` 1	`/bin/sh`, `importptyspawn`, `importsubprocesscall*`, `-c`, `-e`
`EventID`	9	`eq` 9	`1`, `4104`, `4688`, `7`, `4663`
`ParentCommandLine`	7	`contains` 4, `wildcard` 3, `is_not_null` 1, `regex_match` 1	`server.js`, `(?:[Pp]rogram[Dd]ata\|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%\|\\[Aa]p...`, `/sap.com/servlet_jsp/irj/`, `\sap.com\servlet_jsp\irj\`, `extensionHost`
`DestinationHostname`	4	`is_null` 2, `wildcard` 2, `ends_with` 1, `starts_with` 1	`.s3.amazonaws.com`, `.cloudfront.net`, `calendar.app.google`, `eth-mainnet`, `eth..com`
`ParentImage`	4	`ends_with` 4, `eq` 1, `starts_with` 1	`/installer`, `/package_script_service`, `\bun.exe`, `\cscript.exe`, `\excel.exe`
`TargetFilename`	4	`contains` 3, `ends_with` 1, `wildcard` 1	`.exe`, `.js`, `.jse`, `.vba`, `.vbs`
`event.category`	4	`eq` 4	`process`, `driver`, `library`

Top indicator values (835 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.type`	`eq`	`start` elasticCommand and Scripting Interpreter via Windows Scripts elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticExecution of a Downloaded Windows Script elasticExecution via GitHub Actions Runner elasticExecution via OpenClaw Agent elasticGoogle Calendar C2 via Script Interpreter elasticLong Base64 Encoded Command via Scripting Interpreter elasticMicrosoft Build Engine Started by a Script Process elasticMicrosoft Management Console File from Unusual Path elasticNode.js Pre or Post-Install Script Execution elasticPotential Etherhiding C2 via Blockchain Connection elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation elasticScript Execution via Microsoft HTML Application elasticScript Interpreter Connection to Non-Standard Port elasticSuspicious .NET Code Compilation elasticSuspicious AWS S3 Connection via Script Interpreter elasticSuspicious Curl to Jamf Endpoint elasticSuspicious Execution with NodeJS elasticSuspicious Installer Package Spawns Network Event elasticSuspicious JavaScript Execution via Deno elasticSuspicious React Server Child Process elasticWeb Shell Detection: Script Process Child of Common Web Processes elasticWindows Script Executing PowerShell elasticWindows Script Execution from Archive elasticWindows Script Interpreter Executing Process via WMI	26	606
`process_name`	`starts_with`	`python` elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticGoogle Calendar C2 via Script Interpreter elasticPotential Etherhiding C2 via Blockchain Connection elasticScript Interpreter Connection to Non-Standard Port elasticSuspicious AWS S3 Connection via Script Interpreter elasticSuspicious React Server Child Process	6	31
`Image`	`ends_with`	`\cscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWScript or CScript Dropper - File sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	5	73
`Image`	`ends_with`	`\wscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWScript or CScript Dropper - File sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	5	75
`Image`	`ends_with`	`\mshta.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaMSHTA Execution with Suspicious File Extensions sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA	3	67
`Image`	`ends_with`	`\wmic.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential Remote SquiblyTwo Technique Execution sigmaXSL Script Execution Via WMIC.EXE	3	60
`process_name`	`wildcard`	`curl` elasticExecution via GitHub Actions Runner elasticExecution via OpenClaw Agent elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation elasticSuspicious Installer Package Spawns Network Event	5	16
`process_name`	`wildcard`	`python*` elasticExecution via GitHub Actions Runner elasticExecution via OpenClaw Agent elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation elasticSuspicious Installer Package Spawns Network Event	5	24
`process_name`	`wildcard`	`bash` elasticExecution via GitHub Actions Runner elasticExecution via OpenClaw Agent elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation	4	14
`process_name`	`wildcard`	`sh` elasticExecution via GitHub Actions Runner elasticExecution via OpenClaw Agent elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation	4	14
`process_name`	`wildcard`	`zsh` elasticExecution via GitHub Actions Runner elasticExecution via OpenClaw Agent elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation	4	13
`CommandLine`	`contains`	`.js` sigmaJXA In-memory Execution Via OSAScript sigmaNodeJS Execution of JavaScript File sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	4	9
`CommandLine`	`contains`	`.wsf` sigmaPotential Dropper Script Execution Via WScript/CScript/MSHTA sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript elasticExecution of a Downloaded Windows Script	3	4
`EventType`	`eq`	`exec` elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticScript Interpreter Connection to Non-Standard Port elasticSuspicious Curl to Jamf Endpoint elasticSuspicious Installer Package Spawns Network Event	4	171
`event.category`	`eq`	`process` elasticLong Base64 Encoded Command via Scripting Interpreter elasticMicrosoft Build Engine Started by a Script Process elasticWeb Shell Detection: Script Process Child of Common Web Processes elasticWindows Script Interpreter Executing Process via WMI	4	128
`process_name`	`eq`	`cscript.exe` elasticRemote File Download via Script Interpreter elasticSuspicious Execution from VS Code Extension elasticWindows Script Interpreter Executing Process via WMI splunkJscript Execution Using Cscript App	4	25
`process_name`	`eq`	`wscript.exe` elasticRemote File Download via Script Interpreter elasticSuspicious Execution from VS Code Extension elasticWindows Script Execution from Archive elasticWindows Script Interpreter Executing Process via WMI	4	29
`process_name`	`eq`	`cmd.exe` elasticCommand and Scripting Interpreter via Windows Scripts elasticExecution of a Downloaded Windows Script elasticSuspicious Execution from VS Code Extension	3	77
`process_name`	`in`	`bash` elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticPotential Etherhiding C2 via Blockchain Connection elasticSuspicious Installer Package Spawns Network Event elasticSuspicious React Server Child Process	4	88
`process_name`	`in`	`node` elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticGoogle Calendar C2 via Script Interpreter elasticPotential Etherhiding C2 via Blockchain Connection elasticScript Interpreter Connection to Non-Standard Port	4	11
`process_name`	`in`	`sh` elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticPotential Etherhiding C2 via Blockchain Connection elasticSuspicious Installer Package Spawns Network Event elasticSuspicious React Server Child Process	4	83
`process_name`	`in`	`zsh` elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticPotential Etherhiding C2 via Blockchain Connection elasticSuspicious Installer Package Spawns Network Event elasticSuspicious React Server Child Process	4	82
`EventType`	`in`	`exec` elasticExecution via GitHub Actions Runner elasticNode.js Pre or Post-Install Script Execution elasticSuspicious React Server Child Process	3	171
`EventType`	`in`	`start` elasticExecution via GitHub Actions Runner elasticNode.js Pre or Post-Install Script Execution elasticSuspicious React Server Child Process	3	134
`OriginalFileName`	`eq`	`cmd.exe` sigmaHackTool - Koadic Execution elasticCommand and Scripting Interpreter via Windows Scripts elasticWindows Script Interpreter Executing Process via WMI	3	65
`OriginalFileName`	`eq`	`cscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript elasticWindows Script Interpreter Executing Process via WMI	3	19
`OriginalFileName`	`eq`	`node.exe` sigmaNodeJS Execution of JavaScript File sigmaPotentially Suspicious Inline JavaScript Execution via NodeJS Binary elasticSuspicious Execution with NodeJS	3	3
`OriginalFileName`	`eq`	`wscript.exe` sigmaCscript/Wscript Uncommon Script Extension Execution sigmaWSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript elasticWindows Script Interpreter Executing Process via WMI	3	20
`parent_process_name`	`eq`	`cscript.exe` elasticSuspicious .NET Code Compilation elasticWindows Script Executing PowerShell splunkJscript Execution Using Cscript App	3	7
`parent_process_name`	`eq`	`wscript.exe` elasticCommand and Scripting Interpreter via Windows Scripts elasticSuspicious .NET Code Compilation elasticWindows Script Executing PowerShell	3	11

Exclusions (154 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`process_name`	`eq`	`cmd.exe` elasticSuspicious Execution from VS Code Extension elasticWeb Shell Detection: Script Process Child of Common Web Processes	2
`process_name`	`regex_match`	`(?i)windowsupdatelog` splunkExecutable Process from Suspicious Folder (Sysmon) splunkExecutable Process from Suspicious Folder (Windows Event Log)	2
`CommandLine`	`contains`	`.\\install\\awk.exe` elasticWeb Shell Detection: Script Process Child of Common Web Processes	1
`CommandLine`	`contains`	`://` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`\\\\` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`adobe creative cloud experience\js` sigmaNode Process Executions	1
`CommandLine`	`contains`	`format:csv` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:hform` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:htable` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:list` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:mof` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:rawxml` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:table` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:value` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`format:xml` sigmaXSL Script Execution Via WMIC.EXE	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Command and Scripting Interpreter: JavaScript `T1059.007`

Events covered

Authoring guide

Fields filtered most (64 distinct)

Top indicator values (835 distinct)

Exclusions (154 distinct)

Rules under this technique

Sigma 23 rules

Elastic 35 rules

Splunk 11 rules

Kusto 1 rule

Keyboard shortcuts

Search operators

Command and Scripting Interpreter: JavaScript T1059.007

Events covered

Authoring guide

Fields filtered most (64 distinct)

Top indicator values (835 distinct)

Exclusions (154 distinct)

Rules under this technique

Sigma 23 rules

Elastic 35 rules

Splunk 11 rules

Kusto 1 rule

Command and Scripting Interpreter: JavaScript `T1059.007`