{"id":25561,"date":"2022-07-09T00:06:00","date_gmt":"2022-07-08T22:06:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=25561"},"modified":"2022-07-08T22:34:23","modified_gmt":"2022-07-08T20:34:23","slug":"abwehr-windows-aufgabenplanung-als-einfallstor-fr-angriffe","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/07\/09\/abwehr-windows-aufgabenplanung-als-einfallstor-fr-angriffe\/","title":{"rendered":"Defense: Windows task scheduling as an attack vector"},"content":{"rendered":"

\"Windows\"[German<\/a>]Attackers use Windows task scheduling as a technique and create tasks (scheduled tasks) there to infiltrate a victim's machine. The Qualys research team has investigated a number of ways attackers can hide such scheduled tasks. This paper describes three new techniques for hiding and deleting scheduled tasks in a Microsoft Windows environment. This is not theoretical work \"in a vacuum,\" as the technique has been used by suspected Chinese attacker (APT) Hafnium. <\/p>\n

<\/p>\n

Attackers abuse the task scheduling (task scheduler) in Microsoft Windows environments to enable the initial or repeated execution of malicious code at system startup or at a scheduled time. The MITRE ATT&CK framework even cites this<\/a> as one of the most popular techniques used by attackers, as the ability to schedule programs or scripts is a common service in various operating systems.  <\/p>\n

Hafnium uses this technique<\/h2>\n

Recently, Microsoft security researchers published an article<\/a> describing how hackers from the state-sponsored Chinese group Hafnium hide scheduled tasks by deleting the Security Descriptor (SD) value in the Windows registry path: :<\/p>\n

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME<\/code><\/pre>\n
After Microsoft publicly disclosed this attack technique, the Qualys research team wondered if there were other ways to hide scheduled tasks and decided to investigate further. <\/p>\n
Hide scheduled task<\/h2>\n
This blog post explains the results. The most important finding of the analysis is that the index value in the Windows registry path <\/p>\n
HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME<\/code><\/pre>\n
may be misused to hide or delete a scheduled task. Below, we briefly describe the technique that Hafnium and other actors use to hide a scheduled task. We then detail new techniques that can be used to hide a scheduled task in Microsoft environments. <\/p>\n
How attackers hide scheduled tasks <\/h3>\n
According to the Microsoft post, when each scheduled task is created, the following two registry subkeys are generated, one in the Tree path and the other in the Tasks path. <\/p>\n
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME \nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{GUID} <\/code><\/pre>\n
The first subkey TASK_NAME<\/em> generated in the tree path corresponds to the name of the scheduled task. The values generated in it (i.e. Id, Index and SD) contain metadata for task registration in the system.  <\/p>\n
The second subkey {GUID} generated in the Tasks path corresponds to the Id value in the Tree<\/em> subkey. The values created in it (i.e. actions, path, triggers, etc.) contain the basic parameters required to execute the task. <\/p>\n
In Hafnium's case, the attackers created a scheduled task called WinUpdate<\/em> to restore broken connections to their Command & Control infrastructure. As a result, subkeys were created in the Tree<\/em> path and the Tasks<\/em> path. The attackers then gained SYSTEM privileges (through token theft) and deleted the SD<\/em> value in the Tree<\/em> subkey.  <\/p>\n
Removing the SD value caused the task to \"disappear\" from the task scheduler and from the output of the schtasks \/query<\/em> command, which meant that the scheduled task could no longer be found using any of the traditional identification methods. <\/p>\n
The investigation by Qualsys security researchers now revealed that changing or deleting the index value in the tree subkey also causes scheduled tasks to be hidden. The security researchers will explain their findings below, but first a brief description of the investigation conditions.  <\/p>\n
The Qualys research team's investigation setup <\/h3>\n
The security researchers conducted their investigations on Windows 10 Pro (v10.0.19043), Windows 10 Enterprise (v10.0.19044) and Windows 2016 Server. On each machine, they first performed the following two steps<\/p>\n