Tag
low
advisory
Suspicious Image Load (taskschd.dll) from MS Office
2 rules 2 TTPsDetection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.
Word +4
persistence
execution
windows
image_load
scheduled_task
2r
2t
low
advisory
Suspicious Local Scheduled Task Creation
2 rules 1 TTPThis rule detects the creation of scheduled tasks on Windows systems by non-system accounts, a common technique used by adversaries for persistence, lateral movement, and privilege escalation.
Elastic Defend
persistence
windows
scheduled_task
attack.persistence
2r
1t
medium
advisory
Detecting Suspicious Scheduled Task Creation in Windows
2 rules 1 TTPThis rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.
Windows Security Event Logs +8
persistence
scheduled_task
windows
2r
1t