Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/
Supported Platforms: Windows
auto_generated_guid: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
| Name | Description | Type | Default Value | |——|————-|——|—————| | filename | Location of the project file | path | PathToAtomicsFolder\T1127\src\hello.js| | jscpath | Default location of jsc.exe | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| | jscname | Default name of jsc | path | jsc.exe|
1
command_prompt
copy "#{filename}" %TEMP%\hello.js
#{jscpath}\#{jscname} %TEMP%\hello.js
del %TEMP%\hello.js
del %TEMP%\hello.exe
1
powershell
1
if (Test-Path "#{filename}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/
Supported Platforms: Windows
auto_generated_guid: 3fc9fea2-871d-414d-8ef6-02e85e322b80
| Name | Description | Type | Default Value | |——|————-|——|—————| | filename | Location of the project file | path | PathToAtomicsFolder\T1127\src\LibHello.js| | jscpath | Default location of jsc.exe | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| | jscname | Default name of jsc | path | jsc.exe|
1
command_prompt
copy "#{filename}" %TEMP%\LibHello.js
#{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
del %TEMP%\LibHello.js
del %TEMP%\LibHello.dll
1
powershell
1
if (Test-Path "#{filename}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"