#Task scheduler windows#
However, the event id 4699 corresponding to the scheduled task deletion does not get reported to the Windows Security Event log. Further, if we try to modify the task after its Index value is set to 0x0 using schtasks /change command, the task gets deleted. The resulting behavior is exactly the same as what Hafnium threat actors achieved after deleting the SD value. However, the task continues to run as per its scheduled time, even across system restarts. Hide a specific scheduled task: We found that setting the Index value to 0x0 within the Tree subkey hides the task from the Task Scheduler app and the output of schtasks /query.However, we were able to manipulate the Index value to obtain the following outcomes. Our investigation did not find any online documentation describing the purpose of the Index value associated with the scheduled task. Because every scheduled task is a part of either Boot or Logon or Plain or Maintenance, so there seems to be only three possible values for Index: 0x1, 0x2, or 0x3. The Qualys Research Team wrote a Python script and ran it across different Windows machines to confirm this behavior. All tasks registered within the path HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\(Plain or Maintenance) have an Index value of 0x3.All tasks registered within the path HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon have an Index value of 0x2.All tasks registered within the path HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot have an Index value of 0x1.We found that the Index value is set to either 0x1 or 0x2 or 0x3. We further observed that the Index value within the Tree subkey is also related to this third subkey associated with the scheduled task. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ matches with the Id value found in the Tree subkey. How Threat Actors Hide Scheduled TasksĪccording to Microsoft’s blog, with the creation of every scheduled task, the following two registry subkeys get created: one within the Tree path and the other within the Tasks path. Next, we give a detailed description of new techniques being used to hide a scheduled task in Microsoft environments. Our most important finding is that the Index value within the Windows Registry path (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME)Ĭan also be abused to hide and delete any scheduled task.įirst, let’s briefly describe the technique used by Hafnium and others to hide a scheduled task. The objective of this blog is to communicate our research findings.
Recently, security researchers at Microsoft published an article that documented how the Chinese state-sponsored group Hafnium concealed scheduled tasks by deleting the Security Descriptor (SD) value within the Windows registry path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME.įollowing the disclosure by Microsoft, the Qualys Research Team wondered if there are other ways of concealing scheduled tasks and decided to investigate further. In fact, the MITRE ATT&CK framework lists it as one of the most popular techniques used by threat actors, since the ability to schedule programs or scripts is a common utility across operating systems.
#Task scheduler code#
In this blog, we describe three new techniques to hide and delete scheduled tasks in a Microsoft Windows environment.Īdversaries abuse task scheduling functionality in Microsoft Windows environments to facilitate initial or recurring execution of malicious code at system startup or on a scheduled basis for persistence. The Qualys Research Team investigated different ways that attackers could use to conceal scheduled tasks.
Scheduling tasks is one of the most popular attack techniques used by threat actors to establish persistence on a victim’s machine.
0 kommentar(er)
