Suspicious Script Object Execution

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being
13executed in the target process.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Script Object Execution"
20risk_score = 47
21rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence by process.entity_id with maxspan=2m
28  [process where host.os.type == "windows" and event.type == "start"
29   and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and
30   process.code_signature.trusted == true) and
31     not process.executable : (
32       "?:\\Windows\\System32\\cscript.exe",
33       "?:\\Windows\\SysWOW64\\cscript.exe",
34       "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
35       "?:\\Program Files\\Internet Explorer\\iexplore.exe",
36       "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe",
37       "?:\\Windows\\system32\\msiexec.exe",
38       "?:\\Windows\\SysWOW64\\msiexec.exe",
39       "?:\\Windows\\System32\\smartscreen.exe",
40       "?:\\Windows\\system32\\taskhostw.exe",
41       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
42       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
43       "?:\\Windows\\system32\\wscript.exe",
44       "?:\\Windows\\SysWOW64\\wscript.exe",
45       "?:\\Windows\\system32\\mobsync.exe",
46       "?:\\Windows\\SysWOW64\\mobsync.exe",
47       "?:\\Windows\\System32\\cmd.exe",
48       "?:\\Windows\\SysWOW64\\cmd.exe")]
49  [library where host.os.type == "windows" and event.type == "start" and dll.name : "scrobj.dll"]
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1218"
57name = "System Binary Proxy Execution"
58reference = "https://attack.mitre.org/techniques/T1218/"
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top