JScript Compiler Execution
Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Sigma rule (View on GitHub)
1title: JScript Compiler Execution
2id: 52788a70-f1da-40dd-8fbd-73b5865d6568
3status: test
4description: |
5 Detects the execution of the "jsc.exe" (JScript Compiler).
6 Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
9 - https://www.phpied.com/make-your-javascript-a-windows-exe/
10 - https://twitter.com/DissectMalware/status/998797808907046913
11author: frack113
12date: 2022-05-02
13modified: 2024-04-24
14tags:
15 - attack.defense-evasion
16 - attack.t1127
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 - Image|endswith: '\jsc.exe'
23 - OriginalFileName: 'jsc.exe'
24 condition: selection
25falsepositives:
26 - Legitimate use to compile JScript by developers.
27# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
28level: low
References
-
Jsc.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
These days an average web developer needs to have a broad matrix of skills in order to do his/her job. HTML, CSS, JavaScript, AJAX, XML, some server side language, some linux skills, some apache, some database skills, standards, accessibility, SEO, the list goes on. Parts of the list are also multip
Read More
Related rules
- AspNetCompiler Execution
- C# IL Code Compilation Via Ilasm.EXE
- Detection of PowerShell Execution via Sqlps.exe
- Kavremover Dropped Binary LOLBIN Usage
- Node Process Executions