.jse related techniques

Author: martyav

Delivery/detect-jscript-file-creation.md

@@ -0,0 +1,46 @@
+# Detect .jse file creation events
+
+This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*.
+
+Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments.
+
+The following query detects the creation of files with a *.jse* extension. Certain ransomware campaigns, such as [Emotet](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/), are known to employ encrypted JavaScript code that is saved to the target as *.jse* files.
+
+See [Detect potentially malicious .jse launch by File Explorer or Word](../Execution/jse-launched-by-word.md) for a similar technique.
+
+## Query
+
+```Kusto
+​// Creation of any .jse file, including legitimate and malicious ones 
+DeviceFileEvents 
+| where Timestamp > ago(7d)
+| where FileName endswith ".jse"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Execution/jse-launched-by-word.md

@@ -0,0 +1,48 @@
+# Detect potentially malicious .jse launch by File Explorer or Word
+
+This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*.
+
+Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments.
+
+The following query detects when Word or File Explorer have launched files with a *.jse* extension. Attackers involved in various [human-operated campaigns](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot.
+
+See [Detect .jse file creation events](../Delivery/detect-jscript-file-creation.md) for a similar technique.
+
+## Query
+
+```Kusto
+// Find potentially malicious .jse launch by File Explorer or Word 
+DeviceProcessEvents 
+| where Timestamp > ago(7d) 
+| where InitiatingProcessFileName in~ ("explorer.exe","winword.exe") 
+and FileName =~ "wscript.exe"
+and ProcessCommandLine contains ".jse"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access | v |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team