[Tuning] Suspicious Script Object Execution (#3339)

* Update defense_evasion_suspicious_scrobj_load.toml

---------

Co-authored-by: Justin Ibarra <[email protected]>

Author: Samirbous

rules/windows/defense_evasion_suspicious_scrobj_load.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/02"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -13,27 +13,25 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean
 executed in the target process.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Script Object Execution"
 risk_score = 47
 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-sequence by process.entity_id with maxspan=2m
-  [process where host.os.type == "windows" and event.type == "start"
-   and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and
-   process.code_signature.trusted == true) and
-     not process.executable : (
+any where host.os.type == "windows" and 
+ (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and 
+ (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and 
+ process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and 
+ not process.executable : (
        "?:\\Windows\\System32\\cscript.exe",
        "?:\\Windows\\SysWOW64\\cscript.exe",
-       "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
-       "?:\\Program Files\\Internet Explorer\\iexplore.exe",
-       "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe",
        "?:\\Windows\\system32\\msiexec.exe",
        "?:\\Windows\\SysWOW64\\msiexec.exe",
        "?:\\Windows\\System32\\smartscreen.exe",
@@ -42,11 +40,14 @@ sequence by process.entity_id with maxspan=2m
        "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
        "?:\\Windows\\system32\\wscript.exe",
        "?:\\Windows\\SysWOW64\\wscript.exe",
+       "?:\\Windows\\System32\\mshta.exe",
        "?:\\Windows\\system32\\mobsync.exe",
        "?:\\Windows\\SysWOW64\\mobsync.exe",
        "?:\\Windows\\System32\\cmd.exe",
-       "?:\\Windows\\SysWOW64\\cmd.exe")]
-  [library where host.os.type == "windows" and event.type == "start" and dll.name : "scrobj.dll"]
+       "?:\\Windows\\SysWOW64\\cmd.exe", 
+       "?:\\Windows\\System32\\OpenWith.exe",
+       "?:\\Windows\\System32\\wbem\\WMIADAP.exe",
+       "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")
 '''