Suspicious Script Object Execution

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Elastic Endgame Data Source: Sysmon  ·
Share on: linkedin copy

Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
13executed in the target process.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Script Object Execution"
20risk_score = 47
21rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
22severity = "medium"
23tags = [
24    "Domain: Endpoint",
25    "OS: Windows",
26    "Use Case: Threat Detection",
27    "Tactic: Defense Evasion",
28    "Data Source: Elastic Defend",
29    "Data Source: Elastic Endgame",
30    "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36any where host.os.type == "windows" and 
37 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and 
38 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and 
39 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and 
40 not process.executable : (
41       "?:\\Windows\\System32\\cscript.exe",
42       "?:\\Windows\\SysWOW64\\cscript.exe",
43       "?:\\Windows\\system32\\msiexec.exe",
44       "?:\\Windows\\SysWOW64\\msiexec.exe",
45       "?:\\Windows\\System32\\smartscreen.exe",
46       "?:\\Windows\\system32\\taskhostw.exe",
47       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
48       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
49       "?:\\Windows\\system32\\wscript.exe",
50       "?:\\Windows\\SysWOW64\\wscript.exe",
51       "?:\\Windows\\System32\\mshta.exe",
52       "?:\\Windows\\system32\\mobsync.exe",
53       "?:\\Windows\\SysWOW64\\mobsync.exe",
54       "?:\\Windows\\System32\\cmd.exe",
55       "?:\\Windows\\SysWOW64\\cmd.exe", 
56       "?:\\Windows\\System32\\OpenWith.exe",
57       "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
58       "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
59'''
60
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1218"
66name = "System Binary Proxy Execution"
67reference = "https://attack.mitre.org/techniques/T1218/"
68[[rule.threat.technique.subtechnique]]
69id = "T1218.010"
70name = "Regsvr32"
71reference = "https://attack.mitre.org/techniques/T1218/010/"
72
73
74
75[rule.threat.tactic]
76id = "TA0005"
77name = "Defense Evasion"
78reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top