Suspicious Image Load (taskschd.dll) from MS Office

calendarMar 6, 2023  ·
Share on: linkedincopy

Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/17"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate
13adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can
14be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary
15(schtasks.exe) used to manage scheduled tasks.
16"""
17from = "now-9m"
18index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious Image Load (taskschd.dll) from MS Office"
22note = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
25"""
26references = [
27    "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
28    "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf",
29]
30risk_score = 21
31rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022"
32severity = "low"
33tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38any where host.os.type == "windows" and
39 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
40  process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
41  (dll.name : "taskschd.dll" or file.name : "taskschd.dll")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1053"
49name = "Scheduled Task/Job"
50reference = "https://attack.mitre.org/techniques/T1053/"
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top