IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Suspicious Hidden Child Process of Launchd Suspicious ImagePath Service Creation »
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference

Suspicious Image Load (taskschd.dll) from MS Office

edit

Suspicious Image Load (taskschd.dll) from MS Office

edit

Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Execution
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend

Version: 106

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
any where host.os.type == "windows" and
 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
  process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
  (dll.name : "taskschd.dll" or file.name : "taskschd.dll")

Framework: MITRE ATT&CKTM

« Suspicious Hidden Child Process of Launchd Suspicious ImagePath Service Creation »