Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a
javascript context). Adversaries may abuse Deno to run malicious JavaScript for execution or staging.
"""
from="now-9m"
index=[
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
]
language="eql"
license="Elastic License v2"
name="Suspicious JavaScript Execution via Deno"
note="""## Triage and analysis
### Investigating Suspicious JavaScript Execution via Deno
Deno is a legitimate JavaScript/TypeScript runtime. This rule fires when a Deno process (identified by name, PE original filename, or code signer "DenoLandInc.") is started with a command line matching suspicious patterns: javascript with base64, eval(, http, or javascript import. Such patterns are commonly used to run inline or remote scripts and can indicate abuse.
### Possible investigation steps
- Review process.command_line and process.args to see the exact script or URL being executed.
- Identify the parent process and how Deno was launched (user, script, terminal, or other tool).
- Check whether Deno is approved on the host; if not, treat as potential unauthorized software execution.
- Correlate with file creation or network events around the same time (downloads, script drops).
### False positive analysis
- Legitimate development or automation that runs Deno with eval, http imports, or base64-encoded snippets may trigger; allowlist by host or command-line pattern where appropriate.
### Response and remediation
- If abuse is confirmed: contain the host, terminate the Deno process, and remove or block Deno if not authorized; investigate how the script was delivered and scope for similar activity.
