Detects the use of Jlaive to execute assemblies in a copied PowerShell
title: HackTool - Jlaive In-Memory Assembly Execution
id: 0a99eb3e-1617-41bd-b095-13dc767f3def
status: test
description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
references:
- https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
- https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-24
modified: 2023-02-22
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
parent_selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|endswith: '.bat'
selection1:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'powershell.exe'
- '.bat.exe'
selection2:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'pwsh.exe'
- '.bat.exe'
selection3:
Image|endswith: '\attrib.exe'
CommandLine|contains|all:
- '+s'
- '+h'
- '.bat.exe'
condition: parent_selection and (1 of selection*)
falsepositives:
- Unknown
level: medium
imProcessCreate
| where ((ParentProcessName endswith "\\cmd.exe" or ActingProcessName endswith "\\cmd.exe") and ActingProcessCommandLine endswith ".bat") and ((TargetProcessName endswith "\\xcopy.exe" and (TargetProcessCommandLine contains "powershell.exe" and TargetProcessCommandLine contains ".bat.exe")) or (TargetProcessName endswith "\\xcopy.exe" and (TargetProcessCommandLine contains "pwsh.exe" and TargetProcessCommandLine contains ".bat.exe")) or (TargetProcessName endswith "\\attrib.exe" and (TargetProcessCommandLine contains "+s" and TargetProcessCommandLine contains "+h" and TargetProcessCommandLine contains ".bat.exe")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |