Find sigma rule

Attack: Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

MITRE

Tactic

defense-evasion

technique

T1127

Test : Lolbin Jsc.exe compile javascript to exe

OS

windows

Description:

Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/

Executor

command_prompt

Sigma Rule

proc_creation_win_jsc_execution.yml (id: 52788a70-f1da-40dd-8fbd-73b5865d6568)
file_event_win_susp_binary_dropper.yml (id: 297afac9-5d02-4138-8c58-b977bac60556)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test