taskhostw.exe tries to delete MsoIrmProtector.doc

Question

case is solved

Answer 1

Hello,

As an SOC (Security Operations Center) Analyst, encountering suspicious behavior in your environment is a critical concern. Let's analyze the situation you described:

Process Tree:

The process tree you provided shows the parent-child relationship of the processes involved. It appears that taskhostw.exe is attempting to delete the file MsoIrmProtector.doc.

File Path:

The file being targeted (MsoIrmProtector.doc) is located in the directory C:\Windows.old\WINDOWS\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31....944. This path indicates that the file might be related to Microsoft Office Information Rights Management (IRM) protections.

Process Owner:

The fact that the process (taskhostw.exe) is running under the Local System account is not unusual, as many system processes run with elevated privileges.

Block Reason:

The block reason indicates that a suspicious file modification was attempted. The "Suspicious" category suggests that the EDR has flagged this action as potentially harmful.

Given the information you provided, it is challenging to definitively determine whether this behavior is malicious or a legitimate Windows 11 behavior. However, some possibilities to consider are:

Legitimate Behavior: There might be a legitimate reason for taskhostw.exe to attempt to modify or delete the MsoIrmProtector.doc file. This could be related to system updates, file cleanup, or a specific software operation.

Malicious Behavior: It's also possible that the action is indeed malicious, and an attacker is attempting to tamper with the file to evade detection or cause harm.

To further investigate this incident, here are some recommended steps:

Analyze the Affected System:

Conduct a thorough analysis of the affected Windows 11 Pro system. Look for any signs of compromise or unusual behavior beyond the reported incident.

Check Legitimate Activities:

Research if there are any known legitimate activities that involve taskhostw.exe interacting with files in the specified directory.

Check Microsoft Documentation:

Refer to official Microsoft documentation and release notes for Windows 11 to see if this behavior is mentioned or documented as a legitimate system operation.

Submit Samples and Logs to Microsoft:

If you are still uncertain, consider reaching out to Microsoft Support or Security teams and provide them with any relevant samples, logs, or debug information for analysis.

Share with the Cybersecurity Community:

If you belong to a cybersecurity community or organization, consider sharing the incident details (without sensitive information) to gather insights from other experts.

Review Endpoint Protection Configurations:

Review your endpoint protection configurations and ensure they are up to date and configured to detect and respond to suspicious activities effectively.

Remember, as a SOC Analyst, it's essential to follow your organization's incident response and escalation procedures when handling potential security incidents. Act promptly to investigate and mitigate any potential threats. If in doubt, consult with your organization's senior security personnel or refer to external cybersecurity experts for guidance.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–