Suspicious Script Object Execution

Mar 26, 2025 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Elastic Endgame Data Source: Sysmon Resources: Investigation Guide ·

Share on:

Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
 11executed in the target process.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Script Object Execution"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Suspicious Script Object Execution
 24
 25The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection.
 26
 27### Possible investigation steps
 28
 29- Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query.
 30- Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior.
 31- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.
 32- Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert.
 33- Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity.
 34- Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior.
 35
 36### False positive analysis
 37
 38- Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule.
 39- Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe.
 40- Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule.
 41- Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring.
 42
 43### Response and remediation
 44
 45- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement.
 46- Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity.
 47- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files.
 48- Review and restore any altered system configurations or settings to their default state to ensure system integrity.
 49- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 50- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule.
 51- Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed."""
 52risk_score = 47
 53rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
 54severity = "medium"
 55tags = [
 56    "Domain: Endpoint",
 57    "OS: Windows",
 58    "Use Case: Threat Detection",
 59    "Tactic: Defense Evasion",
 60    "Data Source: Elastic Defend",
 61    "Data Source: Elastic Endgame",
 62    "Data Source: Sysmon",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67
 68query = '''
 69any where host.os.type == "windows" and
 70 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 71 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and
 72 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and
 73 not process.executable : (
 74       "?:\\Windows\\System32\\cscript.exe",
 75       "?:\\Windows\\SysWOW64\\cscript.exe",
 76       "?:\\Windows\\system32\\msiexec.exe",
 77       "?:\\Windows\\SysWOW64\\msiexec.exe",
 78       "?:\\Windows\\System32\\smartscreen.exe",
 79       "?:\\Windows\\system32\\taskhostw.exe",
 80       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
 81       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
 82       "?:\\Windows\\system32\\wscript.exe",
 83       "?:\\Windows\\SysWOW64\\wscript.exe",
 84       "?:\\Windows\\System32\\mshta.exe",
 85       "?:\\Windows\\system32\\mobsync.exe",
 86       "?:\\Windows\\SysWOW64\\mobsync.exe",
 87       "?:\\Windows\\System32\\cmd.exe",
 88       "?:\\Windows\\SysWOW64\\cmd.exe",
 89       "?:\\Windows\\System32\\OpenWith.exe",
 90       "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
 91       "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
 92'''
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1218"
 99name = "System Binary Proxy Execution"
100reference = "https://attack.mitre.org/techniques/T1218/"
101[[rule.threat.technique.subtechnique]]
102id = "T1218.010"
103name = "Regsvr32"
104reference = "https://attack.mitre.org/techniques/T1218/010/"
105
106
107
108[rule.threat.tactic]
109id = "TA0005"
110name = "Defense Evasion"
111reference = "https://attack.mitre.org/tactics/TA0005/"

...

toml

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Script Object Execution

The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection.

Possible investigation steps

Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query.
Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior.
Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.
Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert.
Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity.
Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior.

False positive analysis

Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule.
Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe.
Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule.
Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring.

Response and remediation

Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement.
Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity.
Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files.
Review and restore any altered system configurations or settings to their default state to ensure system integrity.
Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule.
Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed.