Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0735: Analytic 0735

Detects Node.js or JavaScript interpreter execution from web shells, cron jobs, or local users. Correlates execution with reverse shell behavior, file modifications, or abnormal outbound connections.

EnterpriseAN0735AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting Node.js or JavaScript interpreter activity on Linux when it appears to originate from suspicious contexts such as web shells, cron jobs, or local user activity, especially when paired with reverse-shell-like behavior, file changes, or unusual outbound network connections. For leaders, the value is not simply “detect JavaScript,” but confirming whether the organization can distinguish legitimate server-side JavaScript operations from behavior that may indicate unauthorized execution or persistence on Linux systems.

Executive priority

Prioritize this where Linux servers support internet-facing applications, automation, or business-critical workloads. The decision value is in validating that SOC and incident response teams have enough host, process, file, and network evidence to investigate suspicious interpreter use quickly. This can support operational resilience, incident triage, and audit evidence for monitoring coverage, but the supplied ATT&CK object does not provide a specific tactic, technique relationship, or mitigation mapping.

Technical view

For SOC and detection engineering teams, validate whether Linux telemetry can correlate JavaScript or Node.js interpreter execution with parent context, execution source, user identity, cron scheduling, file modification activity, and outbound network behavior. Because no official detection logic is provided, implementation should focus on behavioral correlation rather than alerting on Node.js execution alone. Tune for expected application runtimes, developer activity, package managers, deployment tools, and scheduled automation to reduce false positives.

Likely telemetry

  • Linux process creation events, including command line, parent process, working directory, user, and timestamp
  • Web server process context where available, especially child processes spawned from web-facing services
  • Cron or scheduled task execution records
  • File creation, modification, and permission-change events around executed scripts or web directories
  • Outbound network connection telemetry from Linux hosts, including destination, port, process, and timing

Detection direction

  • Confirm that Node.js or JavaScript interpreter execution is visible on Linux endpoints and servers where it matters.
  • Correlate interpreter execution with suspicious parent processes, web-service contexts, cron execution, recent file modifications, or abnormal outbound connections as described by the analytic.
  • Avoid broad detections that treat all Node.js execution as malicious; establish baselines for production applications, CI/CD activity, administrators, and developers.
  • Review blind spots where endpoint telemetry is unavailable, command lines are truncated, process-to-network correlation is missing, or web shell activity cannot be tied back to a parent process.
  • Use local environment knowledge to define what counts as abnormal outbound behavior, since the ATT&CK object does not provide thresholds, destinations, or concrete detection logic.

Mitigation priorities

  • Inventory where Node.js or JavaScript interpreters are expected on Linux systems and remove or restrict unnecessary runtimes where operationally feasible.
  • Harden internet-facing Linux application servers and limit the ability of web-service accounts to spawn interpreters or modify executable content.
  • Control cron and scheduled job creation through least privilege, change management, and monitoring.
  • Ensure incident responders can collect process, file, user, scheduled-task, and network evidence from affected Linux hosts.
  • Use detection validation exercises to confirm that suspicious interpreter execution plus network or file activity produces actionable SOC evidence.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique. It names Linux as the platform and describes correlation of Node.js or JavaScript interpreter execution with web shells, cron jobs, local users, reverse shell behavior, file modifications, or abnormal outbound connections. No relationships, tactics, or official detection logic were supplied, so this take focuses on defensive validation and telemetry readiness.

No official detection content, ATT&CK tactic, related technique, procedure examples, mitigations, or relationship context were supplied. Any production detection must be adapted to the organization’s Linux roles, expected Node.js usage, logging coverage, and network baselines.

Official MITRE ATT&CK definition

Analytic 0735

Detects Node.js or JavaScript interpreter execution from web shells, cron jobs, or local users. Correlates execution with reverse shell behavior, file modifications, or abnormal outbound connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d05f91ba88e9812a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d05f91ba88e9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0735
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use