JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.
osascript, they can be compiled into applications or script files via
osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.
|M1040||Behavior Prevention on Endpoint|
|M1042||Disable or Remove Feature or Program||
Turn off or restrict access to unneeded scripting components.
Denylist scripting where appropriate.
|M1021||Restrict Web-Based Content||
|ID||Data Source||Data Component|
Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
Monitor for execution of JXA through
osascript and usage of
OSAScript API that may be related to other suspicious behavior occurring on the system.
Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.