sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Deno File Written from Remote Source

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1204 T1059.007 T1105

Rule sourcerules/windows/file/file_event/file_event_win_creation_deno.yml

title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
    Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
    This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
    - https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1204
    - attack.t1059.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: file_event
    product: windows
detection:
    selection_path:
        TargetFilename|contains:
            - '\deno\gen\'
            - '\deno\remote\https\'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
    condition: selection_path
falsepositives:
    - Legitimate usage of deno to request a file or bring a DLL to a host
level: low