JScript Compiler Execution

Apr 28, 2026 · attack.execution attack.stealth attack.t1127 ·

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

Sigma rule (View on GitHub)

 1title: JScript Compiler Execution
 2id: 52788a70-f1da-40dd-8fbd-73b5865d6568
 3status: test
 4description: |
 5    Detects the execution of the "jsc.exe" (JScript Compiler).
 6    Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.    
 7references:
 8    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
 9    - https://www.phpied.com/make-your-javascript-a-windows-exe/
10    - https://twitter.com/DissectMalware/status/998797808907046913
11author: frack113
12date: 2022-05-02
13modified: 2024-04-24
14tags:
15    - attack.execution
16    - attack.stealth
17    - attack.t1127
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection:
23        - Image|endswith: '\jsc.exe'
24        - OriginalFileName: 'jsc.exe'
25    condition: selection
26falsepositives:
27    - Legitimate use to compile JScript by developers.
28# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
29level: low

JScript Compiler Execution

Sigma rule (View on GitHub)

References

https://lolbas-project.github.io/lolbas/Binaries/Jsc/

https://www.phpied.com/make-your-javascript-a-windows-exe/

https://twitter.com/DissectMalware/status/998797808907046913

Related rules