LoFP / false positives may occur if legitimate office documents are creating scheduled tasks. ensure to investigate the scheduled task and the command to be executed. if the task is benign, add the task name to the exclusion list. some applications may legitimately load taskschd.dll.

Techniques

• T1566
• T1566.001

Sample rules

Office Document Creating Schedule Task

• source: splunk
• technicques:
  • T1566
  • T1566.001

Description

The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading taskschd.dll. This detection leverages Sysmon EventCode 7 to identify when Office applications load the taskschd.dll file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment.

Detection logic

`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe") loaded_file_path = "*\\taskschd.dll" 
| stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `office_document_creating_schedule_task_filter`