LoFP / false positives should be limited, however it is possible to filter by processes.process_name and specific processes (ex. wscript.exe). filter as needed. this may need modification based on edr telemetry and how it brings in registry data. for example, removal of (default).

Techniques

• T1055
• T1055.001
• T1059
• T1559.001

Sample rules

Process Writing DynamicWrapperX

• source: splunk
• technicques:
  • T1059
  • T1559.001

Description

DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript.

Detection logic

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user 
| `drop_dm_object_name(Processes)` 
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="dynwrapx.dll" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user 
| `drop_dm_object_name(Filesystem)` 
| fields _time process_guid file_path file_name file_create_time user dest process_name] 
| stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `process_writing_dynamicwrapperx_filter`

Loading Of Dynwrapx Module

• source: splunk
• technicques:
  • T1055
  • T1055.001

Description

DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript.

Detection logic

`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName = "dynwrapx.dll" OR  Product = "DynamicWrapperX") 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `loading_of_dynwrapx_module_filter`