Suspicious Script Object Execution¶
Identifies scrobj.dll loaded into unusual Microsoft processes, often indicating a Squiblydoo attack.
id: | a792cb37-fa56-43c2-9357-4b6a54b559c7 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion, Execution |
---|---|
techniques: | T1117 Regsvr32 |
Query¶
image_load where image_name == "scrobj.dll" and
process_name in ("regsvr32.exe", "rundll32.exe", "certutil.exe")