Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-apache-access-log-detections
Overview
4Dashboards
23Benchmarks
36Queries
1Variables
GitHub

Benchmark: T1059.007 Command and Scripting Interpreter: JavaScript

Overview

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/tailpipe-mod-apache-access-log-detections

Start the Powerpipe server:

powerpipe server

Open http://localhost:9033 in your browser and select T1059.007 Command and Scripting Interpreter: JavaScript.

Run this benchmark in your terminal:

powerpipe benchmark run apache_access_log_detections.benchmark.mitre_attack_v161_ta0002_t1059_007

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run apache_access_log_detections.benchmark.mitre_attack_v161_ta0002_t1059_007 --share

Detections

Tags

category = Detections
mitre_attack_tactic_id = TA0002
mitre_attack_technique_id = T1059.007
mitre_attack_version = v16.1
plugin = apache
service = Apache/AccessLog