Suspicious Script Object Execution
Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
13executed in the target process.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Script Object Execution"
20risk_score = 47
21rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28any where host.os.type == "windows" and
29 (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
30 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and
31 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and
32 not process.executable : (
33 "?:\\Windows\\System32\\cscript.exe",
34 "?:\\Windows\\SysWOW64\\cscript.exe",
35 "?:\\Windows\\system32\\msiexec.exe",
36 "?:\\Windows\\SysWOW64\\msiexec.exe",
37 "?:\\Windows\\System32\\smartscreen.exe",
38 "?:\\Windows\\system32\\taskhostw.exe",
39 "?:\\windows\\system32\\inetsrv\\w3wp.exe",
40 "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
41 "?:\\Windows\\system32\\wscript.exe",
42 "?:\\Windows\\SysWOW64\\wscript.exe",
43 "?:\\Windows\\System32\\mshta.exe",
44 "?:\\Windows\\system32\\mobsync.exe",
45 "?:\\Windows\\SysWOW64\\mobsync.exe",
46 "?:\\Windows\\System32\\cmd.exe",
47 "?:\\Windows\\SysWOW64\\cmd.exe",
48 "?:\\Windows\\System32\\OpenWith.exe",
49 "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
50 "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1218"
58name = "System Binary Proxy Execution"
59reference = "https://attack.mitre.org/techniques/T1218/"
60
61[[rule.threat.technique.subtechnique]]
62id = "T1218.010"
63name = "Regsvr32"
64reference = "https://attack.mitre.org/techniques/T1218/010/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Suspicious Managed Code Hosting Process
- WebServer Access Logs Deleted
- File Creation Time Changed
- MS Office Macro Security Registry Modifications
- Potential Credential Access via Renamed COM+ Services DLL