Threat Huntlowtest
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
selection_dll:
- ImageLoaded|endswith: '\taskschd.dll'
- OriginalFileName: 'taskschd.dll'
selection_paths:
Image|contains:
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
condition: all of selection_*False Positives
Some installers might generate false positives, apply additional filters accordingly.
MITRE ATT&CK
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e
Status
test
Level
low
Type
Threat Hunt
Created
Mon Sep 02
Path
rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml
Raw Tags
attack.persistenceattack.executionattack.privilege-escalationattack.t1053.005detection.threat-hunting