This artefact will highlight any scheduled tasks missing the Security Descriptor (SD) value in the task cache. Without this value, the task is hidden from common query methods.
Once a task is identified with the SD value missing, the arefact tries to pull additional information from the registry and XML file for the task.
An example of this technique is used by the Tarrask malware.
Reference:
name: Windows.Registry.TaskCache.HiddenTasks
author: Zach Stanford - @svch0st
description: |
This artefact will highlight any scheduled tasks missing the Security Descriptor (SD) value in the task cache. Without this value, the task is hidden from common query methods.
Once a task is identified with the SD value missing, the arefact tries to pull additional information from the registry and XML file for the task.
An example of this technique is used by the Tarrask malware.
Reference:
- https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
Select * from foreach(row={
SELECT *,
FROM read_reg_key(globs='HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Schedule/TaskCache/Tree/**', accessor="reg")
Where SD = null
},
query={
SELECT
Date,
Key.FullPath,
Path,
{SELECT * FROM Artifact.Windows.System.TaskScheduler(TasksPath="C:\\Windows\\System32\\Tasks"+Path)} as TaskXML,
basename(path=Key.FullPath) as TaskID
FROM read_reg_key(globs='HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Schedule/TaskCache/Tasks/*', accessor="reg")
WHERE TaskID = Id
})