Persistence – Scheduled Task Tampering

Scheduled Task Tampering Havoc C2.png

Windows Task Scheduler enables windows users and administrators to perform automated tasks at specific time intervals. Scheduled tasks has been commonly abused as a method of persistence by threat actors and red teams and therefore this technique has drawn a lot of attention from SOC teams which are monitoring specific Windows Event ID’s in order to identify modifications in Windows Scheduled Tasks.

The schtasks utility is part of the Windows ecosystem and can be used to tamper (create or modify) a schedule task in order to execute an arbitrary implant and establish persistence under the context of a standard user or administrator. Microsoft has disclosed artifacts from the HAFNIUM threat actor which has led to the discovery of a new approach which evades the usage of schtasks which might be heavily monitored and leverage the Windows registry to tamper scheduled tasks. Manipulation of registry keys to create or modify scheduled tasks doesn’t generate the typical noise (Event ID 4698 & 106) and offers a stealthier approach of establishing persistence.

Scheduled Tasks are stored in registry in the following locations:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

The registry key Tree contains the scheduled tasks by name and each task has the following registry keys:

Default Empty
Id GUID of the Task
Index DWORD value
SD Security Descriptor of the Task

The above registry keys structure can be re-created to generate a new scheduled task. It should be noted that removal of the SD registry key will result the task not to be visible in the Task Scheduler or when using the command schtasks /query. However, elevated privileges (SYSTEM) are required in order to create or remove these registry keys.

Registry Scheduled Tasks Tree

The registry key Tasks contains the GUID of the scheduled task (mapping to the Id value of the Tree registry key) and other registry keys which are required to run a scheduled task such as:

  • Task Trigger
  • Task Action
  • Path

The information is formatted in encoded keys and binary blobs. Microsoft has also disclosed that deleting the registry keys Tasks & Tree will not have any effect in the scheduled task as it will continue to run with the defined parameters until the svchost process is terminated or the system is rebooted.

Registry Scheduled Tasks

Create New Task

Chris Au developed a beacon object file called GhostTask which implements the stealth technique of Scheduled Task tampering. GhostTask can create the registry structure for the arbitrary scheduled task directly from memory. Executing the following command will run the implant on a daily basis at a specific time.

GhostTask.exe localhost add pentestlab "cmd.exe" "/c demon.x64.exe" red\Administrator daily 11:30
Scheduled Tasks – Create New Task

The information about the newly created task will be displayed at the end of the console.

Scheduled Tasks – Create New Task output

Examining the registry will verify that the registry keys have been been created successfully.

Scheduled Task Tampering – Arbitrary Task
Scheduled Task Tampering – Task Information

The command that will run the implant will be stored in the actions key.

Scheduled Task Tampering – Actions Registry Key

Task Modification

GhostTask can be also used to tamper an existing scheduled task with an arbitrary beacon for a more stealthier approach. Execution of the following command will modify the CacheTask in order to execute the beacon under the context of the user peter on a daily basis at a specific time interval.

GhostTask.exe localhost add "Microsoft\Windows\Wininet\CacheTask" "cmd.exe" "/c C:\Users\peter\Downloads\demon.x64.exe" red/peter daily 11:37
Scheduled Task Tampering – Task Tampering

Looking at the Task Scheduler will verify that the task has been modified successfully.

Scheduled Task Tampering – Scheduled Tasks

The default implant of Havoc Command and Controller supports a scheduled task bof which can be used to query the tampered scheduled task from the implant.

schtasksquery Microsoft\Windows\Wininet\CacheTask
Havoc C2 – Scheduled Task Query

The XML schema of the scheduled task will be displayed in the output as an alternative method to verify that the task has been tampered.

Havoc C2 – Scheduled Task Enumeration

Once the scheduled task is executed a connection will be established.

Scheduled Task Tampering – Havoc C2 Session

References



Source link

Leave a Comment

Your email address will not be published. Required fields are marked *


Scroll to Top