JScript Compiler Execution
Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Sigma rule (View on GitHub)
1title: JScript Compiler Execution
2id: 52788a70-f1da-40dd-8fbd-73b5865d6568
3status: test
4description: |
5 Detects the execution of the "jsc.exe" (JScript Compiler).
6 Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
9 - https://www.phpied.com/make-your-javascript-a-windows-exe/
10 - https://twitter.com/DissectMalware/status/998797808907046913
11author: frack113
12date: 2022/05/02
13modified: 2024/04/24
14tags:
15 - attack.defense_evasion
16 - attack.t1127
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 - Image|endswith: '\jsc.exe'
23 - OriginalFileName: 'jsc.exe'
24 condition: selection
25falsepositives:
26 - Legitimate use to compile JScript by developers.
27# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
28level: low
References
-
Execute: WSH This LOLBAS executes scripts in Windows Script Host (WSH) languages, such as VBScript and JScript.
Read More -
These days an average web developer needs to have a broad matrix of skills in order to do his/her job. HTML, CSS, JavaScript, AJAX, XML, some server side language, some linux skills, some apache, some database skills, standards, accessibility, SEO, the list goes on. Parts of the list are also multip
Read More -
Related rules
- C# IL Code Compilation Via Ilasm.EXE
- Potential Binary Proxy Execution Via Cdb.EXE
- Potential Arbitrary Code Execution Via Node.EXE
- Suspicious Child Process of AspNetCompiler
- Kavremover Dropped Binary LOLBIN Usage