Suspicious Script Object Execution via scrobj.dll

This detection identifies suspicious usage of scrobj.dll, a legitimate Windows library, when loaded into unusual Microsoft processes. Attackers may exploit scrobj.dll to execute malicious scriptlets within trusted processes, thereby evading detection. This technique allows adversaries to proxy execution through trusted system binaries. The rule focuses on detecting anomalous activity by excluding common executables, and flagging only non-standard processes loading scrobj.dll. The detection logic is based on identifying image load events where scrobj.dll is loaded into unexpected processes, indicating a potential misuse of the library. The rule is designed for data generated by Elastic Defend, Elastic Endgame, and Sysmon.

Attack Chain

1. An attacker gains initial access to a Windows system through various means.
2. The attacker crafts or deploys a malicious scriptlet designed to execute malicious commands or payloads.
3. The attacker leverages a non-standard or less common Microsoft process to load scrobj.dll.
4. scrobj.dll is loaded into the target process, enabling the execution of scriptlets.
5. The malicious scriptlet executes within the context of the trusted Microsoft process, bypassing application whitelisting or other security controls.
6. The scriptlet performs malicious actions, such as downloading additional payloads, modifying system configurations, or establishing command and control communication.
7. The attacker achieves their objectives, such as data exfiltration, lateral movement, or persistence.

Impact

Successful exploitation allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially leading to full system compromise. This could result in data theft, system corruption, or further propagation of the attack within the network. The impact is significant because it allows malware to operate under the guise of legitimate system processes.

Recommendation

• Deploy the Sigma rule Suspicious Scrobj.dll Image Load to your SIEM to detect this activity (see rule below).
• Enable Sysmon Event ID 7 (Image Loaded) to collect the necessary data for the Sigma rule.
• Investigate any alerts generated by the Sigma rule Suspicious Scrobj.dll Image Load to determine the legitimacy of the scrobj.dll loading activity.
• Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on processes identified in the detection rule.
• Continuously audit scheduled tasks and exclude known safe processes from the detection rule to minimize false positives, as described in the rule’s Triage and Analysis section.