[metadata] creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" updated_date = "2026/04/30" [rule] author = ["Elastic"] description = """ Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. """ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" references = [ "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", ] risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.name : ("wscript.exe.log", "cscript.exe.log", "mshta.exe.log", "wmic.exe.log", "svchost.exe.log", "dllhost.exe.log", "cmstp.exe.log", "regsvr32.exe.log") ''' note = """## Triage and analysis ### Investigating Suspicious Managed Code Hosting Process #### Possible investigation steps - What CLR UsageLog behavior did the alert preserve? - Focus: `file.path`, `file.name`, `event.type`, and acting `process.name` / `process.executable`. - Implication: escalate when the UsageLog host has no stable process/user pattern; lower suspicion only as an initial read when the same path and process recur for the same product, deployment, login-script, COM, or service-host context. - Is the managed host the genuine Windows binary rather than a lookalike? - Focus: same-process start evidence for `host.id` and `process.entity_id`: `process.executable`, hash, original file name, signer, and trust. $investigate_0 - Hint: if a source lacks `process.entity_id`, fall back to `process.pid` plus `host.id` in a tight alert-time window to avoid PID reuse. $investigate_3 - Implication: escalate when the host binary runs from a user-writable path, has a mismatched original file name, or has an unexpected signer; lower suspicion only when identity, signer, path, and the UsageLog host name all point to the same genuine Windows host. - Does the launch chain explain why this host loaded managed code? - Focus: `process.command_line`, parent executable/command line, `user.id`, and session context. - Implication: escalate when Office, browsers, archive tools, remote sessions, or user-writable scripts drive mshta, wscript, cscript, wmic, regsvr32, or cmstp; lower suspicion when the same command line, parent, user, and session match a recognized installer, scheduled task, management agent, COM component, or login script. - Does this UsageLog path recur with the same process and user pattern? - Focus: historical file and process events for the same `host.id`, comparing `file.path`, `event.type`, process/parent executable, and `user.id`. $investigate_4 - Implication: escalate when a first create, new `process.executable`, new parent, new user, or unusual update appears for a process that normally should not host managed code; lower suspicion when prior events show the same path, process identity, parent, and user with no follow-on artifacts. - Does the UsageLog artifact or same-process activity expose payload staging? - Why: HTA/JS managed-code hosting and repeat UsageLog updates can hide intent in process text, so preserve the UsageLog while using same-process file/process telemetry for the decision. - Focus: preserve `file.path`, then query file and process events for the same `host.id` and `process.entity_id`, comparing name, extension, size, and later `process.executable` reuse of written paths. $investigate_5 $investigate_6 - Hint: if only `process.pid` is available, keep the file/process correlation tightly scoped to the alert time and host; empty or multiple PID matches are unresolved, not benign. - Implication: escalate when the process writes scriptable or executable content to user-writable paths, creates unusual payload-sized files, or later executes a written artifact; lower suspicion when artifacts stay inside the same recognized product or deployment path with no follow-on execution. - If local evidence remains suspicious or unresolved, does the same user or host show related managed-host abuse? - Focus: related alerts for `user.id` and `host.id`: repeated UsageLog paths, script-host execution, payload staging, injection, or persistence. - Hint: same-user alert view: $investigate_1 - Hint: same-host alert view: $investigate_2 - Implication: broaden scope only when UsageLog, identity, launch, recurrence, or artifact evidence remains suspicious or incomplete; keep local when the alert is isolated and all supported evidence resolves to one recognized workflow. - Escalate for unauthorized managed-code execution through a script host or LOLBin; close only when UsageLog, identity, launch, recurrence, artifact, and related-alert evidence bind to one recognized workflow with no contradictions; preserve artifacts and escalate when evidence is mixed or incomplete. ### False positive analysis - Packaging, deployment, login-script, management-agent, product, COM, and service-hosted workflows can legitimately update CLR UsageLogs for wscript.exe, cscript.exe, mshta.exe, wmic.exe, cmstp.exe, svchost.exe, dllhost.exe, or regsvr32.exe. Confirm `file.path`, process identity, signer or hash history, parent or service/COM launch context, user/session context, artifact behavior, and same-process file/process activity all point to one workflow. If inventories are unavailable, require stable UsageLog path, parent chain, process identity, and user-host pairing across prior alerts before closing as benign. - Build exceptions only from the minimum confirmed workflow pattern: `file.path`, `process.executable`, `process.parent.executable`, stable signer or hash, and the relevant `host.id` or `user.id` scope. Avoid exceptions on `file.name`, process name, or host name alone. ### Response and remediation - If confirmed benign, reverse any temporary containment and document the UsageLog path, process identity, launch chain, user/session context, recurrence pattern, and artifact evidence that proved the workflow. Create an exception only after the same pattern recurs consistently across prior alerts. - If suspicious but unconfirmed, preserve the UsageLog artifact, process start event, command line, parent chain, same-process file/process timeline, written artifacts, related alerts, and case notes before containment or cleanup. - If suspicious but unconfirmed, apply reversible containment tied to the findings, such as heightened monitoring or temporary isolation of the affected `host.id` when process/file evidence suggests payload execution. Avoid process termination or file deletion until the artifact set is preserved. - If confirmed malicious, isolate the endpoint when process identity, launch context, artifact behavior, or related alerts establish unauthorized managed-code execution. Before suspending or terminating the host process, record the recovered `process.entity_id`, command line, parent chain, UsageLog path, and staged files. - Scope related hosts and users for the same UsageLog path, parent process, process identity, and staged artifacts before deleting files or terminating additional processes. - Remove only malicious scripts, HTA/JS payloads, assemblies, staged binaries, or persistence artifacts identified during the investigation, then remediate the delivery path or launcher that caused the managed host to load CLR. - Post-incident hardening: restrict script-host and LOLBin execution through application control where feasible, keep endpoint file/process telemetry for CLR UsageLog triage, and document the confirmed benign workflow or malicious artifact set for future analysts.""" setup = """## Setup This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules. Setup instructions: https://ela.st/install-elastic-defend ### Additional data sources This rule also supports the following third-party data sources. For setup instructions, refer to the links below: - [CrowdStrike](https://ela.st/crowdstrike-integration) - [Microsoft Defender XDR](https://ela.st/m365-defender) - [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel) - [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup) """ [rule.investigation_fields] field_names = [ "@timestamp", "event.type", "host.name", "host.id", "user.id", "process.entity_id", "process.pid", "process.executable", "process.command_line", "process.parent.executable", "process.parent.command_line", "process.pe.original_file_name", "process.code_signature.subject_name", "process.code_signature.trusted", "file.path", ] [transform] [[transform.investigate]] label = "Process events for the same process" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } ] ] relativeFrom = "now-1h" relativeTo = "now" [[transform.investigate]] label = "Alerts associated with the user" description = "" providers = [ [ { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } ] ] relativeFrom = "now-48h/h" relativeTo = "now" [[transform.investigate]] label = "Alerts associated with the host" description = "" providers = [ [ { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" } ] ] relativeFrom = "now-48h/h" relativeTo = "now" [[transform.investigate]] label = "Process events for the same PID" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" } ] ] relativeFrom = "now-1h" relativeTo = "now" [[transform.investigate]] label = "File events for the same UsageLog path" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "file.path", queryType = "phrase", value = "{{file.path}}", valueType = "string" } ] ] relativeFrom = "now-7d/d" relativeTo = "now" [[transform.investigate]] label = "File events for the same process or PID" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } ], [ { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" } ] ] relativeFrom = "now-1h" relativeTo = "now" [[transform.investigate]] label = "Child process events for the managed host" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } ], [ { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" } ] ] relativeFrom = "now-1h" relativeTo = "now" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" [[rule.threat.technique.subtechnique]] id = "T1218.003" name = "CMSTP" reference = "https://attack.mitre.org/techniques/T1218/003/" [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" [[rule.threat.technique]] id = "T1620" name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"