Adversaries may be using Deno to download and execute malicious files from remote HTTP(s) sources, leveraging the appdata directory to persist or execute payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential remote code execution attempts and early-stage malware deployment.
Detection Rule
title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
- https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
- attack.execution
- attack.t1204
- attack.t1059.007
- attack.command-and-control
- attack.t1105
logsource:
category: file_event
product: windows
detection:
selection_path:
TargetFilename|contains:
- '\deno\gen\'
- '\deno\remote\https\'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\'
condition: selection_path
falsepositives:
- Legitimate usage of deno to request a file or bring a DLL to a host
level: low
imFileEvent
| where (TargetFileName contains "\\deno\\gen\\" or TargetFileName contains "\\deno\\remote\\https\\") and (TargetFileName contains ":\\Users\\" and TargetFileName contains "\\AppData\\")Scenario: Legitimate Deno Application Writing to AppData
Description: A legitimate Deno application (e.g., deno run app.js) is writing configuration files or logs to the AppData directory as part of its normal operation.
Filter/Exclusion: process.name == "deno" && file.path contains "AppData" && file.name contains "config" || "log"
Scenario: Scheduled Job Updating Remote Assets
Description: A scheduled job (e.g., using schtasks.exe) runs a Deno script that fetches and writes a remote file (e.g., a dependency or update file) to the AppData folder.
Filter/Exclusion: process.name == "schtasks.exe" || process.name == "taskhostw.exe" && file.path contains "AppData" && file.name contains "update"
Scenario: Admin Task Deploying Deno Application
Description: An admin task (e.g., using PowerShell.exe or cmd.exe) deploys a Deno application that writes files to AppData during installation.
Filter/Exclusion: process.name == "powershell.exe" || process.name == "cmd.exe" && file.path contains "AppData" && file.name contains "install"
Scenario: Deno CLI Writing to AppData for Cache
Description: The Deno CLI itself writes to the AppData folder to store cached modules or runtime data.
Filter/Exclusion: process.name == "deno" && file.path contains "AppData" && file.name contains "cache"
Scenario: Remote DLL Inclusion for Legitimate Dependency
Description: A Deno application includes a legitimate remote DLL (e.g., from a trusted CDN) as part of its runtime dependencies.
Filter/Exclusion: `