Attack Chain

1. User opens a malicious Microsoft Office document (e.g., Word, Excel).
2. The document executes embedded macro code or exploits a vulnerability.
3. The macro or exploit leverages the Component Object Model (COM).
4. The Office application (e.g., WINWORD.EXE) loads the taskschd.dll library, providing access to the Task Scheduler service.
5. The COM interface is used to programmatically create a new scheduled task.
6. The scheduled task is configured to execute a malicious payload at a later time or on a recurring basis.
7. The malicious payload could be a script, executable, or command-line instruction.
8. Upon execution, the payload achieves the attacker’s objective, such as establishing persistence, downloading additional malware, or compromising the system.

Impact

A successful attack leveraging this technique can allow adversaries to maintain persistent access to a compromised system. This can lead to long-term data exfiltration, lateral movement within the network, and deployment of ransomware. The low severity score assigned to the original rule may underestimate the potential impact, as persistence is a critical component of many advanced attacks. Affected systems may require extensive remediation to remove all traces of the malicious activity.

Recommendation

• Deploy the Sigma rule “Office Application Loading Task Scheduler DLL” to your SIEM and tune for your environment to detect this specific activity.
• Enable Sysmon Event ID 7 (Image Loaded) logging on Windows endpoints to provide visibility into DLL loading events, which is a prerequisite for the Sigma rule.
• Investigate any alerts generated by the Sigma rule, focusing on the specific scheduled tasks that are created and the payloads they execute.
• Monitor for scheduled task creation events (Event ID 4698) and deletion events (Event ID 4699) in the Windows Event Logs, as referenced in the rule’s investigation guide.