Suspicious Managed Code Hosting Process

  1[metadata]
  2creation_date = "2020/08/21"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious
 11code execution.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.file-*",
 17    "logs-windows.sysmon_operational-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "endgame-*",
 21    "logs-crowdstrike.fdr*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Suspicious Managed Code Hosting Process"
 26references = [
 27    "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
 28]
 29risk_score = 73
 30rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Defense Evasion",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Sysmon",
 39    "Data Source: Microsoft Defender XDR",
 40    "Data Source: SentinelOne",
 41    "Data Source: Elastic Endgame",
 42    "Data Source: Crowdstrike",
 43    "Resources: Investigation Guide",
 44]
 45timestamp_override = "event.ingested"
 46type = "eql"
 47
 48query = '''
 49file where host.os.type == "windows" and event.type != "deletion" and
 50  file.name : ("wscript.exe.log",
 51               "cscript.exe.log",
 52               "mshta.exe.log",
 53               "wmic.exe.log",
 54               "svchost.exe.log",
 55               "dllhost.exe.log",
 56               "cmstp.exe.log",
 57               "regsvr32.exe.log")
 58'''
 59
 60note = """## Triage and analysis
 61
 62### Investigating Suspicious Managed Code Hosting Process
 63
 64#### Possible investigation steps
 65
 66- What CLR UsageLog behavior did the alert preserve?
 67  - Focus: `file.path`, `file.name`, `event.type`, and acting `process.name` / `process.executable`.
 68  - Implication: escalate when the UsageLog host has no stable process/user pattern; lower suspicion only as an initial read when the same path and process recur for the same product, deployment, login-script, COM, or service-host context.
 69- Is the managed host the genuine Windows binary rather than a lookalike?
 70  - Focus: same-process start evidence for `host.id` and `process.entity_id`: `process.executable`, hash, original file name, signer, and trust. $investigate_0
 71  - Hint: if a source lacks `process.entity_id`, fall back to `process.pid` plus `host.id` in a tight alert-time window to avoid PID reuse. $investigate_3
 72  - Implication: escalate when the host binary runs from a user-writable path, has a mismatched original file name, or has an unexpected signer; lower suspicion only when identity, signer, path, and the UsageLog host name all point to the same genuine Windows host.
 73- Does the launch chain explain why this host loaded managed code?
 74  - Focus: `process.command_line`, parent executable/command line, `user.id`, and session context.
 75  - Implication: escalate when Office, browsers, archive tools, remote sessions, or user-writable scripts drive mshta, wscript, cscript, wmic, regsvr32, or cmstp; lower suspicion when the same command line, parent, user, and session match a recognized installer, scheduled task, management agent, COM component, or login script.
 76- Does this UsageLog path recur with the same process and user pattern?
 77  - Focus: historical file and process events for the same `host.id`, comparing `file.path`, `event.type`, process/parent executable, and `user.id`. $investigate_4
 78  - Implication: escalate when a first create, new `process.executable`, new parent, new user, or unusual update appears for a process that normally should not host managed code; lower suspicion when prior events show the same path, process identity, parent, and user with no follow-on artifacts.
 79- Does the UsageLog artifact or same-process activity expose payload staging?
 80  - Why: HTA/JS managed-code hosting and repeat UsageLog updates can hide intent in process text, so preserve the UsageLog while using same-process file/process telemetry for the decision.
 81  - Focus: preserve `file.path`, then query file and process events for the same `host.id` and `process.entity_id`, comparing name, extension, size, and later `process.executable` reuse of written paths. $investigate_5 $investigate_6
 82  - Hint: if only `process.pid` is available, keep the file/process correlation tightly scoped to the alert time and host; empty or multiple PID matches are unresolved, not benign.
 83  - Implication: escalate when the process writes scriptable or executable content to user-writable paths, creates unusual payload-sized files, or later executes a written artifact; lower suspicion when artifacts stay inside the same recognized product or deployment path with no follow-on execution.
 84- If local evidence remains suspicious or unresolved, does the same user or host show related managed-host abuse?
 85  - Focus: related alerts for `user.id` and `host.id`: repeated UsageLog paths, script-host execution, payload staging, injection, or persistence.
 86  - Hint: same-user alert view: $investigate_1
 87  - Hint: same-host alert view: $investigate_2
 88  - Implication: broaden scope only when UsageLog, identity, launch, recurrence, or artifact evidence remains suspicious or incomplete; keep local when the alert is isolated and all supported evidence resolves to one recognized workflow.
 89- Escalate for unauthorized managed-code execution through a script host or LOLBin; close only when UsageLog, identity, launch, recurrence, artifact, and related-alert evidence bind to one recognized workflow with no contradictions; preserve artifacts and escalate when evidence is mixed or incomplete.
 90
 91### False positive analysis
 92
 93- Packaging, deployment, login-script, management-agent, product, COM, and service-hosted workflows can legitimately update CLR UsageLogs for wscript.exe, cscript.exe, mshta.exe, wmic.exe, cmstp.exe, svchost.exe, dllhost.exe, or regsvr32.exe. Confirm `file.path`, process identity, signer or hash history, parent or service/COM launch context, user/session context, artifact behavior, and same-process file/process activity all point to one workflow. If inventories are unavailable, require stable UsageLog path, parent chain, process identity, and user-host pairing across prior alerts before closing as benign.
 94- Build exceptions only from the minimum confirmed workflow pattern: `file.path`, `process.executable`, `process.parent.executable`, stable signer or hash, and the relevant `host.id` or `user.id` scope. Avoid exceptions on `file.name`, process name, or host name alone.
 95
 96### Response and remediation
 97
 98- If confirmed benign, reverse any temporary containment and document the UsageLog path, process identity, launch chain, user/session context, recurrence pattern, and artifact evidence that proved the workflow. Create an exception only after the same pattern recurs consistently across prior alerts.
 99- If suspicious but unconfirmed, preserve the UsageLog artifact, process start event, command line, parent chain, same-process file/process timeline, written artifacts, related alerts, and case notes before containment or cleanup.
100- If suspicious but unconfirmed, apply reversible containment tied to the findings, such as heightened monitoring or temporary isolation of the affected `host.id` when process/file evidence suggests payload execution. Avoid process termination or file deletion until the artifact set is preserved.
101- If confirmed malicious, isolate the endpoint when process identity, launch context, artifact behavior, or related alerts establish unauthorized managed-code execution. Before suspending or terminating the host process, record the recovered `process.entity_id`, command line, parent chain, UsageLog path, and staged files.
102- Scope related hosts and users for the same UsageLog path, parent process, process identity, and staged artifacts before deleting files or terminating additional processes.
103- Remove only malicious scripts, HTA/JS payloads, assemblies, staged binaries, or persistence artifacts identified during the investigation, then remediate the delivery path or launcher that caused the managed host to load CLR.
104- Post-incident hardening: restrict script-host and LOLBin execution through application control where feasible, keep endpoint file/process telemetry for CLR UsageLog triage, and document the confirmed benign workflow or malicious artifact set for future analysts."""
105
106setup = """## Setup
107
108This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
109
110Setup instructions: https://ela.st/install-elastic-defend
111
112### Additional data sources
113
114This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
115
116- [CrowdStrike](https://ela.st/crowdstrike-integration)
117- [Microsoft Defender XDR](https://ela.st/m365-defender)
118- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
119- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)
120"""
121
122[rule.investigation_fields]
123field_names = [
124    "@timestamp",
125    "event.type",
126    "host.name",
127    "host.id",
128    "user.id",
129    "process.entity_id",
130    "process.pid",
131    "process.executable",
132    "process.command_line",
133    "process.parent.executable",
134    "process.parent.command_line",
135    "process.pe.original_file_name",
136    "process.code_signature.subject_name",
137    "process.code_signature.trusted",
138    "file.path",
139]
140
141[transform]
142
143[[transform.investigate]]
144label = "Process events for the same process"
145description = ""
146providers = [
147  [
148    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
149    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
150    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
151  ]
152]
153relativeFrom = "now-1h"
154relativeTo = "now"
155
156[[transform.investigate]]
157label = "Alerts associated with the user"
158description = ""
159providers = [
160  [
161    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
162    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
163  ]
164]
165relativeFrom = "now-48h/h"
166relativeTo = "now"
167
168[[transform.investigate]]
169label = "Alerts associated with the host"
170description = ""
171providers = [
172  [
173    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
174    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
175  ]
176]
177relativeFrom = "now-48h/h"
178relativeTo = "now"
179
180[[transform.investigate]]
181label = "Process events for the same PID"
182description = ""
183providers = [
184  [
185    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
186    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
187    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
188  ]
189]
190relativeFrom = "now-1h"
191relativeTo = "now"
192
193[[transform.investigate]]
194label = "File events for the same UsageLog path"
195description = ""
196providers = [
197  [
198    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
199    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
200    { excluded = false, field = "file.path", queryType = "phrase", value = "{{file.path}}", valueType = "string" }
201  ]
202]
203relativeFrom = "now-7d/d"
204relativeTo = "now"
205
206[[transform.investigate]]
207label = "File events for the same process or PID"
208description = ""
209providers = [
210  [
211    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
212    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
213    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
214  ],
215  [
216    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
217    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
218    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
219  ]
220]
221relativeFrom = "now-1h"
222relativeTo = "now"
223
224[[transform.investigate]]
225label = "Child process events for the managed host"
226description = ""
227providers = [
228  [
229    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
230    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
231    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
232  ],
233  [
234    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
235    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
236    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
237  ]
238]
239relativeFrom = "now-1h"
240relativeTo = "now"
241
242[[rule.threat]]
243framework = "MITRE ATT&CK"
244
245[[rule.threat.technique]]
246id = "T1055"
247name = "Process Injection"
248reference = "https://attack.mitre.org/techniques/T1055/"
249
250[[rule.threat.technique]]
251id = "T1218"
252name = "System Binary Proxy Execution"
253reference = "https://attack.mitre.org/techniques/T1218/"
254
255[[rule.threat.technique.subtechnique]]
256id = "T1218.003"
257name = "CMSTP"
258reference = "https://attack.mitre.org/techniques/T1218/003/"
259
260[[rule.threat.technique.subtechnique]]
261id = "T1218.005"
262name = "Mshta"
263reference = "https://attack.mitre.org/techniques/T1218/005/"
264
265[[rule.threat.technique.subtechnique]]
266id = "T1218.010"
267name = "Regsvr32"
268reference = "https://attack.mitre.org/techniques/T1218/010/"
269
270[[rule.threat.technique]]
271id = "T1620"
272name = "Reflective Code Loading"
273reference = "https://attack.mitre.org/techniques/T1620/"
274
275[rule.threat.tactic]
276id = "TA0005"
277name = "Defense Evasion"
278reference = "https://attack.mitre.org/tactics/TA0005/"
279
280[[rule.threat]]
281framework = "MITRE ATT&CK"
282
283[[rule.threat.technique]]
284id = "T1047"
285name = "Windows Management Instrumentation"
286reference = "https://attack.mitre.org/techniques/T1047/"
287
288[rule.threat.tactic]
289id = "TA0002"
290name = "Execution"
291reference = "https://attack.mitre.org/tactics/TA0002/"