The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) is warning of a defense evasion malware called Tarrask. The malware creates “hidden” scheduled tasks, and subsequent actions to remove task attributes, to conceal scheduled tasks from traditional means of identification.
Microsoft notes the simplicity of the malware technique, while highlighting that scheduled task abuse is a very common method of persistence and defense evasion—and an enticing one.
Tarrask malware utilizes the Windows Task Scheduler, a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications).
Tarrask malware then generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility.
Task schedulers are services that have been present in the Windows operating system for many years, notes Microsoft. Tarrask uses this method of evasion to maintain access to high value targets in a manner that will likely remain undetected.
This could be especially problematic for systems that are infrequently rebooted (e.g., critical systems such as domain controllers, database servers, etc.).
Tarrask can be mitigated or detected by adopting the following Microsoft recommendations and security guidelines:
- Enumerate your Windows environment registry hives looking in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis on these tasks as needed.
- Modify your audit policy to identify Scheduled Tasks actions by enabling logging “TaskOperational” within Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings suitable to your environment.
- Enable and centralize the following Task Scheduler logs. Even if the tasks are ‘hidden’, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism
- Event ID 4698 within the Security.evtx log
- Microsoft-Windows-TaskScheduler/Operational.evtx log
- The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets is in place.
For complete mitigation tips visit the Microsoft Security blog.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!