Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2021-21206 | Google Chromium Blink Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code.
References
|
| CVE-2021-30554 | Google Chromium WebGL Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code.
References
|
| CVE-2021-37975 | Google Chromium V8 Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-21148 | Google Chromium V8 Heap Buffer Overflow Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-21148 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-21166 | Google Chromium Race Condition Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1059.007 | JavaScript |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2018-4990 | Adobe Acrobat and Reader Double Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE.
References
|
| CVE-2013-3346 | Adobe Reader and Acrobat Memory Corruption Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
This vulnerability is exploited via maliciously-crafted javascript.
References
|
| CVE-2023-22515 | Atlassian Confluence Data Center and Server Broken Access Control Vulnerability | primary_impact | T1059.007 | JavaScript |
Comments
This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.
References
|
| CVE-2023-5631 | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability | primary_impact | T1059.007 | JavaScript |
Comments
This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine.
In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session.
The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.
References
|
| CVE-2022-24682 | Zimbra Webmail Cross-Site Scripting Vulnerability | primary_impact | T1059.007 | JavaScript |
Comments
This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user's Zimbra session, leading to potential data theft and other malicious activities.
This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user's Zimbra session.
The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.
References
|
| CVE-2022-22963 | VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability | primary_impact | T1059.007 | JavaScript |
Comments
In certain versions of Spring Cloud Function, a vulnerability allows remote code execution through a specially crafted Spring Expression Language (SpEL) routing expression. This vulnerability, known as "Spring4Shell," can be exploited by sending crafted queries to a server running the Spring Core framework. Hackers are actively exploiting this flaw to execute malicious Java code on vulnerable servers. Initial exploit attempts were observed targeting a honeypot on port 9001. The exploit modifies logging configurations to create a webshell by writing code to a log file, which is then executed via a browser. Although there is scanning activity for vulnerable hosts, the exploitation is less widespread compared to Log4Shell, as it requires specific conditions beyond just using the framework.
References
|