Last reviewed:
T1059.007 covers attacker-supplied JavaScript: malicious npm packages, in-browser card skimmers in the Magecart mould, and abuse of server-side Node.js runtimes. Web applications and their databases are where the payloads land in cloud estates. DCV maps the Azure Defender for App Service and Defender for SQL onboarding policies as the controls that put runtime monitoring on those targets, with GCP Chronicle's COMMAND_SCRIPTING_INTERPRETER rules covering execution telemetry. For checkout pages, subresource integrity plus a strict CSP blunts the skimmer class outright.
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.
Platforms: Linux, macOS, Windows.
DCV maps 11 detections across 2 cloud providers to T1059.007. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Azure Policy | Azure | 6 | 0.83 |
| Microsoft Defender for Cloud | Azure | 4 | 0.88 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 11 T1059.007 rules across 1 platform. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1059.007, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1059.007 covers attacker-supplied JavaScript: malicious npm packages, in-browser card skimmers in the Magecart mould, and abuse of server-side Node.js runtimes. Web applications and their databases are where the payloads land in cloud estates. DCV maps the Azure Defender for App Service and Defender for SQL onboarding policies as the controls that put runtime monitoring on those targets, with GCP Chronicle's COMMAND_SCRIPTING_INTERPRETER rules covering execution telemetry. For checkout pages, subresource integrity plus a strict CSP blunts the skimmer class outright.
DCV maps 11 cloud-native detections to T1059.007 across 2 cloud providers, drawn from Azure Policy, GCP Chronicle and Microsoft Defender for Cloud.
T1059.007 is part of MITRE ATT&CK TA0002 Execution: How adversaries run their code once inside.
CloudSigma ships 1 validated Sigma rules for T1059.007 across Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.