← Library
sigmaDRL-1.1from SigmaHQ/sigma

JScript Compiler Execution

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

Quality
98
FP risk
Forks
0
Views
0
ATT&CK techniques
T1127
Rule sourcerules/windows/process_creation/proc_creation_win_jsc_execution.yml
title: JScript Compiler Execution
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: test
description: |
    Detects the execution of the "jsc.exe" (JScript Compiler).
    Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
    - https://www.phpied.com/make-your-javascript-a-windows-exe/
    - https://twitter.com/DissectMalware/status/998797808907046913
author: frack113
date: 2022-05-02
modified: 2024-04-24
tags:
    - attack.defense-evasion
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\jsc.exe'
        - OriginalFileName: 'jsc.exe'
    condition: selection
falsepositives:
    - Legitimate use to compile JScript by developers.
# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
level: low