Suspicious Script Object Execution

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
 13executed in the target process.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Script Object Execution"
 20risk_score = 47
 21rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Defense Evasion",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Elastic Endgame",
 30    "Data Source: Sysmon",
 31    "Resources: Investigation Guide",
 32]
 33timestamp_override = "event.ingested"
 34type = "eql"
 35
 36query = '''
 37any where host.os.type == "windows" and
 38 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 39 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and
 40 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and
 41 not process.executable : (
 42       "?:\\Windows\\System32\\cscript.exe",
 43       "?:\\Windows\\SysWOW64\\cscript.exe",
 44       "?:\\Windows\\system32\\msiexec.exe",
 45       "?:\\Windows\\SysWOW64\\msiexec.exe",
 46       "?:\\Windows\\System32\\smartscreen.exe",
 47       "?:\\Windows\\system32\\taskhostw.exe",
 48       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
 49       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
 50       "?:\\Windows\\system32\\wscript.exe",
 51       "?:\\Windows\\SysWOW64\\wscript.exe",
 52       "?:\\Windows\\System32\\mshta.exe",
 53       "?:\\Windows\\system32\\mobsync.exe",
 54       "?:\\Windows\\SysWOW64\\mobsync.exe",
 55       "?:\\Windows\\System32\\cmd.exe",
 56       "?:\\Windows\\SysWOW64\\cmd.exe",
 57       "?:\\Windows\\System32\\OpenWith.exe",
 58       "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
 59       "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
 60'''
 61note = """## Triage and analysis
 62
 63> **Disclaimer**:
 64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 65
 66### Investigating Suspicious Script Object Execution
 67
 68The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection.
 69
 70### Possible investigation steps
 71
 72- Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query.
 73- Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior.
 74- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.
 75- Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert.
 76- Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity.
 77- Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior.
 78
 79### False positive analysis
 80
 81- Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule.
 82- Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe.
 83- Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule.
 84- Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring.
 85
 86### Response and remediation
 87
 88- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement.
 89- Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity.
 90- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files.
 91- Review and restore any altered system configurations or settings to their default state to ensure system integrity.
 92- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 93- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule.
 94- Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed."""
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1218"
101name = "System Binary Proxy Execution"
102reference = "https://attack.mitre.org/techniques/T1218/"
103[[rule.threat.technique.subtechnique]]
104id = "T1218.010"
105name = "Regsvr32"
106reference = "https://attack.mitre.org/techniques/T1218/010/"
107
108
109
110[rule.threat.tactic]
111id = "TA0005"
112name = "Defense Evasion"
113reference = "https://attack.mitre.org/tactics/TA0005/"