Suspicious Script Object Execution
Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
11executed in the target process.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Script Object Execution"
18risk_score = 47
19rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
20severity = "medium"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Defense Evasion",
26 "Data Source: Elastic Defend",
27 "Data Source: Sysmon",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33any where host.os.type == "windows" and
34 (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
35 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and
36 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and
37 not process.executable : (
38 "?:\\Windows\\System32\\cscript.exe",
39 "?:\\Windows\\SysWOW64\\cscript.exe",
40 "?:\\Windows\\system32\\msiexec.exe",
41 "?:\\Windows\\SysWOW64\\msiexec.exe",
42 "?:\\Windows\\System32\\smartscreen.exe",
43 "?:\\Windows\\system32\\taskhostw.exe",
44 "?:\\windows\\system32\\inetsrv\\w3wp.exe",
45 "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
46 "?:\\Windows\\system32\\wscript.exe",
47 "?:\\Windows\\SysWOW64\\wscript.exe",
48 "?:\\Windows\\System32\\mshta.exe",
49 "?:\\Windows\\system32\\mobsync.exe",
50 "?:\\Windows\\SysWOW64\\mobsync.exe",
51 "?:\\Windows\\System32\\cmd.exe",
52 "?:\\Windows\\SysWOW64\\cmd.exe",
53 "?:\\Windows\\System32\\OpenWith.exe",
54 "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
55 "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1218"
63name = "System Binary Proxy Execution"
64reference = "https://attack.mitre.org/techniques/T1218/"
65[[rule.threat.technique.subtechnique]]
66id = "T1218.010"
67name = "Regsvr32"
68reference = "https://attack.mitre.org/techniques/T1218/010/"
69
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Service DACL Modification via sc.exe
- Persistence via Hidden Run Key Detected
- Local Account TokenFilter Policy Disabled
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Host Files System Changes via Windows Subsystem for Linux