IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Script Object Executionedit
Identifies scrobj.dll
loaded into unusual Microsoft processes. This may
indicate a malicious scriptlet is being executed in the target process.
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Rule queryedit
event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Scripting
- ID: T1064
- Reference URL: https://attack.mitre.org/techniques/T1064/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Scripting
- ID: T1064
- Reference URL: https://attack.mitre.org/techniques/T1064/