title: JScript Compiler Execution
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: test
description: |
    Detects the execution of the "jsc.exe" (JScript Compiler).
    Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
    - https://www.phpied.com/make-your-javascript-a-windows-exe/
    - https://twitter.com/DissectMalware/status/998797808907046913
author: frack113
date: 2022-05-02
modified: 2024-04-24
tags:
    - attack.defense-evasion
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\jsc.exe'
        - OriginalFileName: 'jsc.exe'
    condition: selection
falsepositives:
    - Legitimate use to compile JScript by developers.
# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
level: low