Suspicious Script Object Executionedit

Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.

Rule type: eql

Rule indices:


Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None


  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Data Source: Elastic Defend

Version: 105

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

sequence by process.entity_id with maxspan=2m
  [process where host.os.type == "windows" and event.type == "start"
   and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and
   process.code_signature.trusted == true) and
     not process.executable : (
       "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
       "?:\\Program Files\\Internet Explorer\\iexplore.exe",
  [library where host.os.type == "windows" and event.type == "start" and : "scrobj.dll"]