Scheduled Task Creation via Microsoft Office Application¶
Identifies the creation of a scheduled task via a Microsoft Office application to establish persistence.
id: | 8e98bf09-e662-4908-b68e-5c96ad5c6860 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 8/16/2019 |
updated: | 8/16/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1053 Scheduled Task |
Query¶
image_load where
process_name in ("excel.exe", "winword.exe", "powerpnt.exe", "outlook.exe") and
image_name == "taskschd.dll"