Adversaries may use JavaScript to pack or obfuscate malicious payloads within ZIP files to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware delivery methods that bypass traditional file-based detection.
YARA Rule
rule PM_Zip_with_js
{
strings:
$hdr="PK"
$e1=".js" nocase
$e2=".jse" nocase
condition:
$hdr at 0 and (($e1 in (filesize-100..filesize)) or ($e2 in (filesize-100..filesize)))
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Developer using JSZip to generate a ZIP file for a deployment package
Filter/Exclusion: Check for the presence of jszip in the file name or content, and ensure the file is generated by a known deployment tool like npm or Webpack.
Scenario: System administrator compressing logs using a standard ZIP utility
Filter/Exclusion: Filter files created by zip or 7z command-line tools, and check for log directories or files with known log extensions (e.g., .log, .txt).
Scenario: Scheduled job exporting data to ZIP format for reporting
Filter/Exclusion: Identify files generated by a known reporting tool (e.g., Power BI, Tableau, or SQL Server Reporting Services) and filter based on the job name or schedule.
Scenario: User downloading a ZIP file containing JavaScript libraries for a web project
Filter/Exclusion: Check for the presence of known JavaScript library names (e.g., lodash, react, angular) and ensure the file is downloaded from a trusted source (e.g., npm, GitHub, or CDN).
Scenario: Security tool or SIEM system generating ZIP archives for log archiving
Filter/Exclusion: Filter files created by log management tools (e.g., Splunk, ELK Stack, Graylog) and check for timestamps or metadata indicating log archiving activity.