Skip to content

Add Rule: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location #4983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 2, 2024
Merged

Add Rule: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location #4983

merged 4 commits into from
Sep 2, 2024

Conversation

@swachchhanda000
Copy link
Collaborator

@swachchhanda000 swachchhanda000 commented Aug 26, 2024
edited by nasbench
Loading

Summary of the Pull Request

This PR adds a rule that detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.

Changelog

new: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location

Example Log Event

{
    "win":
    {
        "system":
        {
            "providerName": "Microsoft-Windows-Sysmon",
            "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
            "eventID": "7",
            "version": "3",
            "level": "4",
            "task": "7",
            "opcode": "0",
            "keywords": "0x8000000000000000",
            "systemTime": "2024-08-12T09:02:42.3607909Z",
            "eventRecordID": "356073",
            "processID": "3260",
            "threadID": "5620",
            "channel": "Microsoft-Windows-Sysmon/Operational",
            "computer": "host1.test",
            "securityUserID": "S-1-5-18",
            "severityValue": "INFORMATION",
            "message": "\"Image loaded:\r\nRuleName: technique_id=T1053,technique_name=Scheduled Task,phase_name=Execution\r\nUtcTime: 2024-08-12 09:02:42.354\r\nProcessGuid: {8b59c806-cfae-66b9-8303-000000007d00}\r\nProcessId: 4884\r\nImage: C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\sjbfwbfcwb.exe\r\nImageLoaded: C:\\Windows\\System32\\taskschd.dll\r\nFileVersion: 10.0.19041.1266 (WinBuild.160101.0800)\r\nDescription: Task Scheduler COM API\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: taskschd.dll\r\nHashes: SHA1=27EFA81247501EBA6603842F476C899B5DAAB8C7,MD5=49E93FA14D4E09AAFD418AB616AD1BB1,SHA256=35E3F44C587DE8BFF62095E768C77E12E2C522FB7EFD038FFFCC0DD2AE960A57,IMPHASH=B7A4477FA36E2E5287EE76AC4AFCB05B\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: TERRACOTTAPHARM\\SwachchhandaP\""
        },
        "eventdata":
        {
            "ruleName": "technique_id=T1053,technique_name=Scheduled Task,phase_name=Execution",
            "utcTime": "2024-08-12 09:02:42.354",
            "processGuid": "{8b59c806-cfae-66b9-8303-000000007d00}",
            "processId": "4884",
            "image": "C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\sjbfwbfcwb.exe",
            "imageLoaded": "C:\\\\Windows\\\\System32\\\\taskschd.dll",
            "fileVersion": "10.0.19041.1266 (WinBuild.160101.0800)",
            "description": "Task Scheduler COM API",
            "product": "Microsoft® Windows® Operating System",
            "company": "Microsoft Corporation",
            "originalFileName": "taskschd.dll",
            "hashes": "SHA1=27EFA81247501EBA6603842F476C899B5DAAB8C7,MD5=49E93FA14D4E09AAFD418AB616AD1BB1,SHA256=35E3F44C587DE8BFF62095E768C77E12E2C522FB7EFD038FFFCC0DD2AE960A57,IMPHASH=B7A4477FA36E2E5287EE76AC4AFCB05B",
            "signed": "true",
            "signature": "Microsoft Windows",
            "signatureStatus": "Valid",
            "user": "test\\\\Swachchhanda"
        }
    }
}

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Aug 26, 2024
@swachchhanda000 swachchhanda000 force-pushed the taskschd-dll-abuse branch 2 times, most recently from ef13ab5 to 93e095b Compare August 26, 2024 08:32
@swachchhanda000 swachchhanda000 marked this pull request as ready for review August 26, 2024 08:39
@nasbench nasbench changed the title Suspicious Task Scheduler DLL Load Add Rule: Task Scheduler DLL Load By Application Located In Potentially Suspicious Location Sep 2, 2024
@nasbench nasbench changed the title Add Rule: Task Scheduler DLL Load By Application Located In Potentially Suspicious Location Add Rule: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location Sep 2, 2024
@nasbench nasbench merged commit 7f0f7ee into SigmaHQ:master Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench approved these changes

Assignees

No one assigned

Labels

Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swachchhanda000 @nasbench