{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/deno/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["execution","javascript","deno","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike","Deno Land Inc."],"content_html":"\u003cp\u003eThis detection rule identifies suspicious JavaScript execution via the Deno runtime environment on Windows systems. Deno is a modern runtime for JavaScript and TypeScript that, while legitimate, can be abused by adversaries to execute malicious code. The rule focuses on command-line patterns indicative of malicious intent, specifically the presence of base64 encoding, the use of the \u003ccode\u003eeval()\u003c/code\u003e function, the inclusion of HTTP requests, or the use of JavaScript imports in a suspicious context. This activity is concerning because attackers can use Deno to bypass traditional security measures and execute arbitrary code for various malicious purposes, including staging further attacks or executing malware. The rule aims to detect these activities by monitoring process executions and analyzing their command lines.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through social engineering, exploiting a vulnerability, or compromised credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads or transfers the \u003ccode\u003edeno.exe\u003c/code\u003e executable to the compromised system. The executable might be renamed or placed in a non-standard location.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edeno.exe\u003c/code\u003e with a command line containing suspicious elements such as \u003ccode\u003ebase64\u003c/code\u003e, \u003ccode\u003eeval(\u003c/code\u003e, \u003ccode\u003ehttp\u003c/code\u003e, or \u003ccode\u003eimport\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeno interprets and executes the JavaScript code, which may be embedded directly in the command line (e.g., using \u003ccode\u003eeval()\u003c/code\u003e), fetched from a remote server (via \u003ccode\u003ehttp\u003c/code\u003e), or imported from a local file.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code performs malicious actions, such as downloading and executing additional payloads, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe malicious script may leverage Deno\u0026rsquo;s permissions to bypass security restrictions. Broad permissions (e.g., using the \u003ccode\u003e-A\u003c/code\u003e flag) are especially concerning.\u003c/li\u003e\n\u003cli\u003eThe Deno process may spawn child processes to further the attacker\u0026rsquo;s objectives. These child processes may include command interpreters (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) or other utilities.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to achieve code execution, establish persistence, and/or compromise data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise the affected system. This could result in data theft, system disruption, or further propagation of malware within the network. The targeted systems could be developer workstations or build servers, leading to supply chain compromises. The impact of a successful attack is high due to the potential for significant damage and lateral movement within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious JavaScript Execution via Deno\u0026rdquo; to your SIEM and tune for your environment to detect malicious Deno usage.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003edeno.exe\u003c/code\u003e execution, focusing on command lines containing \u003ccode\u003ebase64\u003c/code\u003e, \u003ccode\u003eeval(\u003c/code\u003e, \u003ccode\u003ehttp\u003c/code\u003e, or \u003ccode\u003eimport\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture detailed command-line arguments for \u003ccode\u003edeno.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Suspicious JavaScript Execution via Deno\u0026rdquo; Sigma rule, focusing on the process lineage, network connections, and file modifications associated with the Deno process.\u003c/li\u003e\n\u003cli\u003eRestrict the usage of Deno to authorized users and systems (e.g., developers, build servers).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized or renamed copies of \u003ccode\u003edeno.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-susp-deno-js-execution/","summary":"Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a JavaScript context), which adversaries may abuse to run malicious JavaScript for execution or staging.","title":"Suspicious JavaScript Execution via Deno","url":"https://feed.craftedsignal.io/briefs/2024-01-susp-deno-js-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Deno","version":"https://jsonfeed.org/version/1.1"}