JScript Compiler Execution
Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Sigma rule (View on GitHub)
1title: JScript Compiler Execution
2id: 52788a70-f1da-40dd-8fbd-73b5865d6568
3status: test
4description: |
5 Detects the execution of the "jsc.exe" (JScript Compiler).
6 Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
9 - https://www.phpied.com/make-your-javascript-a-windows-exe/
10 - https://twitter.com/DissectMalware/status/998797808907046913
11author: frack113
12date: 2022/05/02
13modified: 2024/04/24
14tags:
15 - attack.defense_evasion
16 - attack.t1127
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 - Image|endswith: '\jsc.exe'
23 - OriginalFileName: 'jsc.exe'
24 condition: selection
25falsepositives:
26 - Legitimate use to compile JScript by developers.
27# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
28level: low
References
Related rules
- C# IL Code Compilation Via Ilasm.EXE
- Potential Binary Proxy Execution Via Cdb.EXE
- Potential Arbitrary Code Execution Via Node.EXE
- Suspicious Child Process of AspNetCompiler
- Kavremover Dropped Binary LOLBIN Usage