EXPLORE
Sign In
← Back to Explore
sigmalowHunting

JScript Compiler Execution

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

MITRE ATT&CK

T1127
defense-evasion

Detection Query

selection:
  - Image|endswith: \jsc.exe
  - OriginalFileName: jsc.exe
condition: selection

Author

frack113

Created

2022-05-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1127
Raw Content
title: JScript Compiler Execution
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: test
description: |
    Detects the execution of the "jsc.exe" (JScript Compiler).
    Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
    - https://www.phpied.com/make-your-javascript-a-windows-exe/
    - https://twitter.com/DissectMalware/status/998797808907046913
author: frack113
date: 2022-05-02
modified: 2024-04-24
tags:
    - attack.defense-evasion
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\jsc.exe'
        - OriginalFileName: 'jsc.exe'
    condition: selection
falsepositives:
    - Legitimate use to compile JScript by developers.
# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
level: low