Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.
Rule type: eql
Risk score: 21
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
library where process.name in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and event.action == "load" and event.category == "library" and file.name == "taskschd.dll"
Framework: MITRE ATT&CKTM
- Version 2 (7.11.2 release)
- Formatting only