{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/image_load/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Word","Excel","PowerPoint","Publisher","Access"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","windows","image_load","scheduled_task"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious image load (\u003ccode\u003etaskschd.dll\u003c/code\u003e) originating from Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). The behavior suggests potential adversarial activity involving the creation of scheduled tasks through the Windows Component Object Model (COM). Attackers may exploit this technique to establish persistence, circumventing traditional monitoring focused on the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility. The use of COM for scheduled task management allows for stealthier operation and evasion of standard security controls, making it a valuable persistence mechanism for malicious actors. The rule is designed for data generated by Elastic Defend, Sysmon, and other endpoint detection platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser opens a malicious Microsoft Office document (e.g., Word, Excel).\u003c/li\u003e\n\u003cli\u003eThe document executes embedded macro code or exploits a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe macro or exploit leverages the Component Object Model (COM).\u003c/li\u003e\n\u003cli\u003eThe Office application (e.g., WINWORD.EXE) loads the \u003ccode\u003etaskschd.dll\u003c/code\u003e library, providing access to the Task Scheduler service.\u003c/li\u003e\n\u003cli\u003eThe COM interface is used to programmatically create a new scheduled task.\u003c/li\u003e\n\u003cli\u003eThe scheduled task is configured to execute a malicious payload at a later time or on a recurring basis.\u003c/li\u003e\n\u003cli\u003eThe malicious payload could be a script, executable, or command-line instruction.\u003c/li\u003e\n\u003cli\u003eUpon execution, the payload achieves the attacker\u0026rsquo;s objective, such as establishing persistence, downloading additional malware, or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging this technique can allow adversaries to maintain persistent access to a compromised system. This can lead to long-term data exfiltration, lateral movement within the network, and deployment of ransomware. The low severity score assigned to the original rule may underestimate the potential impact, as persistence is a critical component of many advanced attacks. Affected systems may require extensive remediation to remove all traces of the malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Office Application Loading Task Scheduler DLL\u0026rdquo; to your SIEM and tune for your environment to detect this specific activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) logging on Windows endpoints to provide visibility into DLL loading events, which is a prerequisite for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific scheduled tasks that are created and the payloads they execute.\u003c/li\u003e\n\u003cli\u003eMonitor for scheduled task creation events (Event ID 4698) and deletion events (Event ID 4699) in the Windows Event Logs, as referenced in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-image-load-office/","summary":"Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.","title":"Suspicious Image Load (taskschd.dll) from MS Office","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-image-load-office/"}],"language":"en","title":"CraftedSignal Threat Feed — Image_load","version":"https://jsonfeed.org/version/1.1"}