Suspicious Deno File Written from Remote Source

    Wednesday, May 28, 2025 In: Threat Research Print

    Date: 05/28/2025

    Severity: Medium

    Summary

    Identifies Deno activity involving the download of a file via a direct HTTP(S) request and saving it to the AppData directory, or the presence of a suspicious DLL bundled with the application.This behavior may suggest an attempt to execute remotely hosted or potentially malicious content using Deno.

    Indicators of Compromise (IOC) List 

    Filename

    '\deno\gen\'

    '\deno\remote\https\'

    ':\Users\'

    '\AppData\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    (resourcename = "Windows Security"  AND eventtype = "4663") AND (filename like "\deno\gen" OR filename like "\deno\remote\https" OR filename like ":\Users" OR filename like "\AppData")

    Detection Query :

    technologygroup = "EDR" AND (filename like "\deno\gen" OR filename like "\deno\remote\https" OR filename like ":\Users" OR filename like "\AppData")

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_creation_deno.yml


    Tags

    SigmaVulnerabilityDenoDLL

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.