Suspicious Script Object Execution

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
 11executed in the target process.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Script Object Execution"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Suspicious Script Object Execution
 24
 25The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection.
 26
 27### Possible investigation steps
 28
 29- Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query.
 30- Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior.
 31- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.
 32- Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert.
 33- Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity.
 34- Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior.
 35
 36### False positive analysis
 37
 38- Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule.
 39- Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe.
 40- Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule.
 41- Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring.
 42
 43### Response and remediation
 44
 45- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement.
 46- Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity.
 47- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files.
 48- Review and restore any altered system configurations or settings to their default state to ensure system integrity.
 49- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 50- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule.
 51- Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed."""
 52risk_score = 47
 53rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
 54severity = "medium"
 55tags = [
 56    "Domain: Endpoint",
 57    "OS: Windows",
 58    "Use Case: Threat Detection",
 59    "Tactic: Defense Evasion",
 60    "Data Source: Elastic Defend",
 61    "Data Source: Elastic Endgame",
 62    "Data Source: Sysmon",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67
 68query = '''
 69any where host.os.type == "windows" and
 70 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 71 (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and
 72 process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and
 73 not process.executable : (
 74       "?:\\Windows\\System32\\cscript.exe",
 75       "?:\\Windows\\SysWOW64\\cscript.exe",
 76       "?:\\Windows\\system32\\msiexec.exe",
 77       "?:\\Windows\\SysWOW64\\msiexec.exe",
 78       "?:\\Windows\\System32\\smartscreen.exe",
 79       "?:\\Windows\\system32\\taskhostw.exe",
 80       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
 81       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
 82       "?:\\Windows\\system32\\wscript.exe",
 83       "?:\\Windows\\SysWOW64\\wscript.exe",
 84       "?:\\Windows\\System32\\mshta.exe",
 85       "?:\\Windows\\system32\\mobsync.exe",
 86       "?:\\Windows\\SysWOW64\\mobsync.exe",
 87       "?:\\Windows\\System32\\cmd.exe",
 88       "?:\\Windows\\SysWOW64\\cmd.exe",
 89       "?:\\Windows\\System32\\OpenWith.exe",
 90       "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
 91       "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
 92'''
 93
 94setup = """## Setup
 95
 96This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 97
 98Setup instructions: https://ela.st/install-elastic-defend
 99
100### Additional data sources
101
102This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
103
104- [Sysmon Event ID 7 - Image Loaded](https://ela.st/sysmon-event-7-setup)
105"""
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110
111[[rule.threat.technique]]
112id = "T1218"
113name = "System Binary Proxy Execution"
114reference = "https://attack.mitre.org/techniques/T1218/"
115
116[[rule.threat.technique.subtechnique]]
117id = "T1218.010"
118name = "Regsvr32"
119reference = "https://attack.mitre.org/techniques/T1218/010/"
120
121[rule.threat.tactic]
122id = "TA0005"
123name = "Defense Evasion"
124reference = "https://attack.mitre.org/tactics/TA0005/"
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128
129[[rule.threat.technique]]
130id = "T1059"
131name = "Command and Scripting Interpreter"
132reference = "https://attack.mitre.org/techniques/T1059/"
133
134[rule.threat.tactic]
135id = "TA0002"
136name = "Execution"
137reference = "https://attack.mitre.org/tactics/TA0002/"