Detection rules › Sigma
Suspicious Deno File Written from Remote Source
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.007 Command and Scripting Interpreter: JavaScript, T1204 User Execution |
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection_path
or:
TargetFilename|contains: '\deno\gen\'
TargetFilename|contains: '\deno\remote\https\'
TargetFilename|contains: ':\Users\'
TargetFilename|contains: '\AppData\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | match |
|