Windows Task Scheduler enables windows users and administrators to perform automated tasks at specific time intervals. Scheduled tasks has been commonly abused as a method of persistence by threat actors and red teams and therefore this technique has drawn a lot of attention from SOC teams which are monitoring specific Windows Event ID’s in order to identify modifications in Windows Scheduled Tasks.
The schtasks utility is part of the Windows ecosystem and can be used to tamper (create or modify) a schedule task in order to execute an arbitrary implant and establish persistence under the context of a standard user or administrator. Microsoft has disclosed artifacts from the HAFNIUM threat actor which has led to the discovery of a new approach which evades the usage of schtasks which might be heavily monitored and leverage the Windows registry to tamper scheduled tasks. Manipulation of registry keys to create or modify scheduled tasks doesn’t generate the typical noise (Event ID 4698 & 106) and offers a stealthier approach of establishing persistence.
Scheduled Tasks are stored in registry in the following locations:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeThe registry key Tree contains the scheduled tasks by name and each task has the following registry keys:
| Default | Empty |
| Id | GUID of the Task |
| Index | DWORD value |
| SD | Security Descriptor of the Task |
The above registry keys structure can be re-created to generate a new scheduled task. It should be noted that removal of the SD registry key will result the task not to be visible in the Task Scheduler or when using the command schtasks /query. However, elevated privileges (SYSTEM) are required in order to create or remove these registry keys.
The registry key Tasks contains the GUID of the scheduled task (mapping to the Id value of the Tree registry key) and other registry keys which are required to run a scheduled task such as:
- Task Trigger
- Task Action
- Path
The information is formatted in encoded keys and binary blobs. Microsoft has also disclosed that deleting the registry keys Tasks & Tree will not have any effect in the scheduled task as it will continue to run with the defined parameters until the svchost process is terminated or the system is rebooted.
Create New Task
Chris Au developed a beacon object file called GhostTask which implements the stealth technique of Scheduled Task tampering. GhostTask can create the registry structure for the arbitrary scheduled task directly from memory. Executing the following command will run the implant on a daily basis at a specific time.
GhostTask.exe localhost add pentestlab "cmd.exe" "/c demon.x64.exe" red\Administrator daily 11:30
The information about the newly created task will be displayed at the end of the console.
Examining the registry will verify that the registry keys have been been created successfully.
The command that will run the implant will be stored in the actions key.
Task Modification
GhostTask can be also used to tamper an existing scheduled task with an arbitrary beacon for a more stealthier approach. Execution of the following command will modify the CacheTask in order to execute the beacon under the context of the user peter on a daily basis at a specific time interval.
GhostTask.exe localhost add "Microsoft\Windows\Wininet\CacheTask" "cmd.exe" "/c C:\Users\peter\Downloads\demon.x64.exe" red/peter daily 11:37
Looking at the Task Scheduler will verify that the task has been modified successfully.
The default implant of Havoc Command and Controller supports a scheduled task bof which can be used to query the tampered scheduled task from the implant.
schtasksquery Microsoft\Windows\Wininet\CacheTask
The XML schema of the scheduled task will be displayed in the output as an alternative method to verify that the task has been tampered.
Once the scheduled task is executed a connection will be established.
