Suspicious Script Object Executionedit

Identifies scrobj.dll loaded into unusual Microsoft processes. This may indicate a malicious scriptlet is being executed in the target process.

Rule indices:

  • winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Windows

Rule version: 1

Added (Elastic Stack release): 7.6.0

Rule queryedit

event.code: 1 and scrobj.dll and (process.name:certutil.exe or
process.name:regsvr32.exe or process.name:rundll32.exe)

Threat mappingedit

Framework: MITRE ATT&CKTM