HackTool - Jlaive In-Memory Assembly Execution

 1title: HackTool - Jlaive In-Memory Assembly Execution
 2id: 0a99eb3e-1617-41bd-b095-13dc767f3def
 3status: test
 4description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
 5references:
 6    - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
 7    - https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
 8author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
 9date: 2022-05-24
10modified: 2023-02-22
11tags:
12    - attack.execution
13    - attack.t1059.003
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    parent_selection:
19        ParentImage|endswith: '\cmd.exe'
20        ParentCommandLine|endswith: '.bat'
21    selection1:
22        Image|endswith: '\xcopy.exe'
23        CommandLine|contains|all:
24            - 'powershell.exe'
25            - '.bat.exe'
26    selection2:
27        Image|endswith: '\xcopy.exe'
28        CommandLine|contains|all:
29            - 'pwsh.exe'
30            - '.bat.exe'
31    selection3:
32        Image|endswith: '\attrib.exe'
33        CommandLine|contains|all:
34            - '+s'
35            - '+h'
36            - '.bat.exe'
37    condition: parent_selection and (1 of selection*)
38falsepositives:
39    - Unknown
40level: medium

References

• Using Jlaive to create batch files from .NET assemblies for defense evasion | Welcome to Jstnk webpage

  

  Summary

  
  Read More

• GitHub - ch2sh/Jlaive: .NET Antivirus Evasion Tool (Exe2Bat)

  

  .NET Antivirus Evasion Tool (Exe2Bat). Contribute to ch2sh/Jlaive development by creating an account on GitHub.

  
  Read More

Related rules

• AWS EC2 Startup Shell Script Change
• Command Line Execution with Suspicious URL and AppData Strings
• Conhost.exe CommandLine Path Traversal
• Elise Backdoor Activity
• Exploited CVE-2020-10189 Zoho ManageEngine