Find sigma rule
Attack: Trusted Developer Utilities Proxy Execution
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
MITRE
Tactic
- defense-evasion
technique
- T1127
Test : Lolbin Jsc.exe compile javascript to dll
OS
- windows
Description:
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/
Executor
command_prompt
Sigma Rule
- proc_creation_win_jsc_execution.yml (id: 52788a70-f1da-40dd-8fbd-73b5865d6568)