Applied Cybernetics Group
T1059.007 — JavaScript
- Technique
T1059.007- Tactics
- Execution
- MISP citations
- 0
- KEV CVEs mapped
- 14
- Community rules
- 23
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1059/007
MITRE description
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS) JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts) JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode) Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2025-34028CVE-2023-5631CVE-2023-26360CVE-2023-22515CVE-2022-24682CVE-2022-22963CVE-2021-37975CVE-2021-30554CVE-2021-21206CVE-2021-21166CVE-2021-21148CVE-2018-4990CVE-2015-5119CVE-2013-3346
Detection coverage
SigmaHQ community rules
- Adwind RAT / JRAT (emerging-threats)
- WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript (threat-hunting)
- Suspicious Installer Package Child Process (core)
- JXA In-memory Execution Via OSAScript (core)
- Potential In-Memory Download And Compile Of Payloads (core)
- AppLocker Prevented Application or Script from Running (core)
- HackTool - CACTUSTORCH Remote Thread Creation (core)
- Suspicious Deno File Written from Remote Source (core)
- WScript or CScript Dropper - File (core)
- Adwind RAT / JRAT File Artifact (core)
- Csc.EXE Execution Form Potentially Suspicious Parent (core)
- HTML Help HH.EXE Suspicious Child Process (core)
- Suspicious HH.EXE Execution (core)
- HackTool - Koadic Execution (core)
- MSHTA Execution with Suspicious File Extensions (core)
- Node Process Executions (core)
- NodeJS Execution of JavaScript File (core)
- Potentially Suspicious Inline JavaScript Execution via NodeJS Binary (core)
- Script Interpreter Spawning Credential Scanner - Windows (core)
- Potential Remote SquiblyTwo Technique Execution (core)
- XSL Script Execution Via WMIC.EXE (core)
- Potential Dropper Script Execution Via WScript/CScript/MSHTA (core)
- Cscript/Wscript Uncommon Script Extension Execution (core)