[Rule Tuning] Windows Suspicious Script Object Execution (#1081)

* [Rule Tuning] Windows Suspicious Script Object Execution

* renamed rule in version.lock.json

* adjusted codesig check

* added 1 exclusion

* update date

* added cmd to exclusion as per EG telem

* removed changes to version.lock.json

* restored comment for code sig to support winlogbeat

* Revert "removed changes to version.lock.json"

This reverts commit 62794be02486b668ae5f25e5613f18b292342377.

* restored rule name in version.lock

* fixed typo

* removed winlogbeat index

* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

rules/windows/defense_evasion_suspicious_scrobj_load.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/04/06"
 
 [rule]
 author = ["Elastic"]
@@ -10,41 +10,51 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean
 executed in the target process.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Windows Suspicious Script Object Execution"
-risk_score = 21
+name = "Suspicious Script Object Execution"
+risk_score = 47
 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"
 
 query = '''
-/* add winlogbeat-* when process.code_signature.* fields are populated */
-
-sequence by process.entity_id with maxspan = 2m
-  [process where event.type in ("start", "process_started") and
-     /* uncomment once in winlogbeat */
-     /* process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted : true and */
-     not process.name : (
-       "cscript.exe",
-       "iexplore.exe",
-       "MicrosoftEdge.exe",
-       "msiexec.exe",
-       "smartscreen.exe",
-       "taskhostw.exe",
-       "w3wp.exe",
-       "wscript.exe")]
+sequence by process.entity_id with maxspan=2m
+  [process where event.type == "start" 
+   and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and 
+   process.code_signature.trusted == true) and
+     not process.executable : (
+       "?:\\Windows\\System32\\cscript.exe",
+       "?:\\Windows\\SysWOW64\\cscript.exe",
+       "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
+       "?:\\Program Files\\Internet Explorer\\iexplore.exe",
+       "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe",
+       "?:\\Windows\\system32\\msiexec.exe",
+       "?:\\Windows\\SysWOW64\\msiexec.exe",
+       "?:\\Windows\\System32\\smartscreen.exe",
+       "?:\\Windows\\system32\\taskhostw.exe",
+       "?:\\windows\\system32\\inetsrv\\w3wp.exe",
+       "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe",
+       "?:\\Windows\\system32\\wscript.exe",
+       "?:\\Windows\\SysWOW64\\wscript.exe",
+       "?:\\Windows\\system32\\mobsync.exe",
+       "?:\\Windows\\SysWOW64\\mobsync.exe",
+       "?:\\Windows\\System32\\cmd.exe",
+       "?:\\Windows\\SysWOW64\\cmd.exe")]
   [library where event.type == "start" and dll.name : "scrobj.dll"]
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "Signed Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
 
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-