IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Windows Suspicious Script Object Execution
editWindows Suspicious Script Object Execution
editIdentifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
Severity: medium
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 1
Added (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Rule query
edit/* add winlogbeat-* when process.code_signature.* fields are populated */ sequence by process.entity_id with maxspan=2m [process where event.type in ("start", "process_started") and /* uncomment once in winlogbeat */ /* process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and */ not (process.name : "cscript.exe" or process.name : "iexplore.exe" or process.name : "MicrosoftEdge.exe" or process.name : "msiexec.exe" or process.name : "smartscreen.exe" or process.name : "taskhostw.exe" or process.name : "w3wp.exe" or process.name : "wscript.exe")] [library where event.type == "start" and file.name : "scrobj.dll"]
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Scripting
- ID: T1064
- Reference URL: https://attack.mitre.org/techniques/T1064/