Suspicious Task Scheduler DLL Load

rules/windows/image_load/image_load_dll_taskschd_load_from_suspicious_process.yml

@@ -0,0 +1,33 @@
+title: Suspicious Task Scheduler DLL Load
+id: 3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e
+status: experimental
+description: |
+  Detects the loading of the taskschd.dll module from suspicious processes from uncommon directories, which could indicate a scheduled task creation attempt via COM object (Schedule.Service) abuse.
+references:
+    - https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/
+    - https://x.com/Max_Mal_/status/1826179497084739829
+author: Swachchhanda Shrawan Poudel
+date: 2024-08-26
+tags:
+    - attack.persistence
+    - attack.execution
+    - attack.t1053.005
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        - ImageLoaded|endswith: 'taskschd.dll'
+        - OriginalFileName: 'taskschd.dll'
+    filter:
+        Image|contains:
+            - '\AppData\Local\Temp\'
+            - 'C:\Users\Public\'
+            - 'C:\Windows\Temp\'
+            - 'C:\Temp\'
+            - '\Downloads\'
+            - '\Desktop\'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high