Xem thêm

Defending Against Scheduled Task Attacks in Windows Environments

Scheduling tasks is a common technique used by threat actors to establish persistence on a victim's machine. The Qualys Research Team has uncovered new techniques to hide and delete scheduled tasks in a Microsoft Windows...

Scheduling tasks is a common technique used by threat actors to establish persistence on a victim's machine. The Qualys Research Team has uncovered new techniques to hide and delete scheduled tasks in a Microsoft Windows environment. In this article, we will explore these techniques and provide insights into defending against scheduled task attacks.

How Threat Actors Hide Scheduled Tasks

According to Microsoft's blog, when a scheduled task is created, two registry subkeys are also created: one within the Tree path and the other within the Tasks path. The Tree subkey contains metadata for task registration, while the Tasks subkey contains parameters for task execution.

In a recent incident involving the Chinese state-sponsored group Hafnium, the threat actor concealed a scheduled task by deleting the Security Descriptor (SD) value within the Tree subkey. This resulted in the task disappearing from the Task Scheduler app and the output of schtasks /query command, effectively concealing the scheduled task.

New Methods to Hide Scheduled Tasks

The Qualys Research Team has discovered two new methods to hide scheduled tasks: manipulating the Index value within the Tree subkey and deleting the Index value altogether.

Setting the Index value to 0x0 within the Tree subkey hides the task from the Task Scheduler app and the output of schtasks /query. However, the task continues to run as scheduled. This technique achieves the same result as deleting the SD value, as demonstrated by Hafnium.

Deleting the Index value causes the Task Scheduler app and schtasks /query to fail with an error message, effectively hiding all scheduled tasks. However, existing tasks continue to run, and new tasks can still be created.

Experimental Setup Environment

The Qualys Research Team conducted experiments on Windows 10 Pro, Windows 10 Enterprise, and Windows 2016 server. The researchers configured object auditing to track events corresponding to scheduled task creation, deletion, and updating in the Windows Security event log. They also created a scheduled task named ImpTask to observe the behavior of the Index value.

Conclusion

In conclusion, the Index value and SD value within the Tree subkey of a scheduled task can be abused by attackers to hide and delete scheduled tasks. It is crucial to monitor modifications to these values in order to detect and prevent malicious code execution. By understanding these new techniques, defenders can better protect Windows environments against scheduled task attacks.

Contributors: Mayuresh Dani, Threat Research Manager, Qualys
Contact: [email protected]

Figure 1. Three registry keys associated with the scheduled task ImpTask. Figure 1. Three registry keys associated with the scheduled task ImpTask.

1