Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location

    Wednesday, September 18, 2024 In: Threat Research Print

    Date: 09/18/2024

    Severity: Low

    Summary

    Identifies when the "taskschd.dll" module is loaded from a potentially suspicious or unusual directory. This loading could suggest that the application has the ability to create a scheduled task using the "Schedule.Service" COM object. An investigation into the application and its behavior is necessary to determine if it is malicious.

    Indicators of Compromise (IOC) List

    ImageLoaded

    '\taskschd.dll'

    OriginalFileName

    'taskschd.dll'

    Image

    ':\Temp\'

    ':\Users\Public\'

    ':\Windows\Temp\'

    '\AppData\Local\Temp\'

    '\Desktop\'

    '\Downloads\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename = "Sysmon" AND eventtype = "7"  ) AND imageloaded like "\\taskschd.dll" AND originalfilename like "taskschd.dll" AND image In (":\Temp",":\Users\Public",":\Windows\Temp","\AppData\Local\Temp","\Desktop","\Downloads") 

    Detection Query 2

    technologygroup = "EDR" AND imageloaded like "\\taskschd.dll" AND originalfilename like "taskschd.dll" AND image In (":\Temp",":\Users\Public",":\Windows\Temp","\AppData\Local\Temp","\Desktop","\Downloads") 

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml 


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.