security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4989d43ae97015f8113aed2efcd49d288b8fec21
blue-team-tools/rules/windows/process_creation/proc_creation_win_jsc_execution.yml
T
Nasreddine Bencherchali f61c1f4509 Merge PR #4832 from @nasbench - Update LOLBIN rules 
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
update: COM Object Execution via Xwizard.EXE - Update logic
update: JScript Compiler Execution - Update metadata
update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
update: Windows Kernel Debugger Execution - Reduce level to "medium"
update: Xwizard.EXE Execution From Non-Default Location - Update description

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2024-04-26 13:40:11 +02:00

29 lines
969 B
YAML
Raw Blame History

title: JScript Compiler Execution
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: test
description: |
Detects the execution of the "jsc.exe" (JScript Compiler).
Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Jsc/
- https://www.phpied.com/make-your-javascript-a-windows-exe/
- https://twitter.com/DissectMalware/status/998797808907046913
author: frack113
date: 2022/05/02
modified: 2024/04/24
tags:
- attack.defense_evasion
- attack.t1127
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: '\jsc.exe'
- OriginalFileName: 'jsc.exe'
condition: selection
falsepositives:
- Legitimate use to compile JScript by developers.
# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
level: low
Reference in New Issue View Git Blame Copy Permalink