Suspicious Script Object Execution

calendar Mar 13, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
13executed in the target process.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Script Object Execution"
20risk_score = 47
21rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28any where host.os.type == "windows" and 
29 (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and 
30 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and 
31 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and 
32 not process.executable : (
33       "?:\\Windows\\System32\\cscript.exe",
34       "?:\\Windows\\SysWOW64\\cscript.exe",
35       "?:\\Windows\\system32\\msiexec.exe",
36       "?:\\Windows\\SysWOW64\\msiexec.exe",
37       "?:\\Windows\\System32\\smartscreen.exe",
38       "?:\\Windows\\system32\\taskhostw.exe",
39       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
40       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
41       "?:\\Windows\\system32\\wscript.exe",
42       "?:\\Windows\\SysWOW64\\wscript.exe",
43       "?:\\Windows\\System32\\mshta.exe",
44       "?:\\Windows\\system32\\mobsync.exe",
45       "?:\\Windows\\SysWOW64\\mobsync.exe",
46       "?:\\Windows\\System32\\cmd.exe",
47       "?:\\Windows\\SysWOW64\\cmd.exe", 
48       "?:\\Windows\\System32\\OpenWith.exe",
49       "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
50       "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1218"
58name = "System Binary Proxy Execution"
59reference = "https://attack.mitre.org/techniques/T1218/"
60
61[[rule.threat.technique.subtechnique]]
62id = "T1218.010"
63name = "Regsvr32"
64reference = "https://attack.mitre.org/techniques/T1218/010/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top