Suspicious Script Object Execution

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
11executed in the target process.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Script Object Execution"
18risk_score = 47
19rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
20severity = "medium"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Defense Evasion",
26    "Data Source: Elastic Defend",
27    "Data Source: Sysmon",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33any where host.os.type == "windows" and 
34 (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and 
35 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and 
36 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and 
37 not process.executable : (
38       "?:\\Windows\\System32\\cscript.exe",
39       "?:\\Windows\\SysWOW64\\cscript.exe",
40       "?:\\Windows\\system32\\msiexec.exe",
41       "?:\\Windows\\SysWOW64\\msiexec.exe",
42       "?:\\Windows\\System32\\smartscreen.exe",
43       "?:\\Windows\\system32\\taskhostw.exe",
44       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
45       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
46       "?:\\Windows\\system32\\wscript.exe",
47       "?:\\Windows\\SysWOW64\\wscript.exe",
48       "?:\\Windows\\System32\\mshta.exe",
49       "?:\\Windows\\system32\\mobsync.exe",
50       "?:\\Windows\\SysWOW64\\mobsync.exe",
51       "?:\\Windows\\System32\\cmd.exe",
52       "?:\\Windows\\SysWOW64\\cmd.exe", 
53       "?:\\Windows\\System32\\OpenWith.exe",
54       "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
55       "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1218"
63name = "System Binary Proxy Execution"
64reference = "https://attack.mitre.org/techniques/T1218/"
65[[rule.threat.technique.subtechnique]]
66id = "T1218.010"
67name = "Regsvr32"
68reference = "https://attack.mitre.org/techniques/T1218/010/"
69
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top