{"id":112008,"date":"2022-04-12T09:00:00","date_gmt":"2022-04-12T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=112008"},"modified":"2023-09-14T13:17:58","modified_gmt":"2023-09-14T20:17:58","slug":"tarrask-malware-uses-scheduled-tasks-for-defense-evasion","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/","title":{"rendered":"Tarrask malware uses scheduled tasks for defense evasion"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n\n<p><strong>April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. <strong>HAFNIUM <\/strong>is now tracked as<strong> Silk Typhoon<\/strong>.<\/p>\n\n\n<p>To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\"><strong>Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n\n<\/blockquote>\n\n\n\n<p>As Microsoft continues to track the high-priority state-sponsored threat actor <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/03\/02\/new-nation-state-cyberattacks\/\">HAFNIUM<\/a>, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a <a href=\"https:\/\/unit42.paloaltonetworks.com\/manageengine-godzilla-nglite-kdcsponge\/\">previous blog<\/a>. <\/p>\n\n\n\n<p>Microsoft observed HAFNIUM from August 2021 to February 2022, target those in the telecommunication, internet service provider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/\">Spring 2021<\/a>.<\/p>\n\n\n\n<p>Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates \u201chidden\u201d scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.<\/p>\n\n\n\n<p>The blog outlines the simplicity of the malware technique Tarrask uses, while highlighting that scheduled task abuse is a very common method of persistence and defense evasion\u2014and an enticing one, at that. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, how the malware&#8217;s evasion techniques are used to maintain and ensure persistence on systems, and how to protect against this tactic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Right on schedule: Maintaining persistence via scheduled tasks<\/h2>\n\n\n\n<p>Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications).<\/p>\n\n\n\n<p>Throughout the course of our research, we\u2019ve found that threat actors commonly make use of this service to maintain persistence within a Windows environment.<\/p>\n\n\n\n<p>We\u2019ve noted that the Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the <a href=\"https:\/\/docs.microsoft.com\/windows-server\/administration\/windows-commands\/schtasks\">schtasks<\/a> command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism.<\/p>\n\n\n\n<p>The following registry keys are created upon creation of a new task:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\<strong>Tree\\<em>TASK_NAME<\/em><\/strong><\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\<strong>Tasks\\{<em>GUID<\/em>}<\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"589\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig1_Tarrask-malware-creates-new-registry-keys-along-with-the-creation-of-new-scheduled-tasks.png\" alt=\"Screen grab of the Tarrask malware creating new registry keys and new scheduled tasks in Registry Editor.\" class=\"wp-image-112014\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig1_Tarrask-malware-creates-new-registry-keys-along-with-the-creation-of-new-scheduled-tasks.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig1_Tarrask-malware-creates-new-registry-keys-along-with-the-creation-of-new-scheduled-tasks-300x221.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig1_Tarrask-malware-creates-new-registry-keys-along-with-the-creation-of-new-scheduled-tasks-768x565.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 1. Tarrask malware creates new registry keys along with the creation of new scheduled tasks<\/figcaption><\/figure>\n\n\n\n<p>The first subkey, created within the <strong>Tree<\/strong> path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the <strong>Tasks<\/strong> path, is a GUID mapping to the <strong>Id<\/strong> value found in the <strong>Tree<\/strong> key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.<\/p>\n\n\n\n<p>To demonstrate the value in the artifacts generated, shown in the following figures, we have created \u201cMy Special Task\u201d which is set to execute the binary \u201cC:\\Windows\\System32\\calc.exe\u201d on a regular interval.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"735\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig2_XML-file-matches-name-of-the-task.png\" alt=\"Screen grab of the XML file and Registry Editor\" class=\"wp-image-112017\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig2_XML-file-matches-name-of-the-task.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig2_XML-file-matches-name-of-the-task-300x276.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig2_XML-file-matches-name-of-the-task-768x706.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 2. XML file matches name of the task<\/figcaption><\/figure>\n\n\n\n<p>Similar information is also stored within an extensionless XML file created within <em>C:\\Windows\\System32\\Tasks<\/em>, where the name of the file matches the name of the task. This is displayed in Figure 2, where we name the task \u201cMy Special Task\u201d as an example.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"919\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig3_Extensionless-XML-file.png\" alt=\"Screen grab of an XML file\" class=\"wp-image-112020\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig3_Extensionless-XML-file.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig3_Extensionless-XML-file-261x300.png 261w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig3_Extensionless-XML-file-768x882.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 3. Extensionless XML file<\/figcaption><\/figure>\n\n\n\n<p>Note that the \u201cActions\u201d value stored within the Tasks\\{GUID} key points to the command line associated with the task. In Figure 2, there is a reference to \u201cC:\\Windows\\System32\\calc.exe\u201d within the \u201cEdit Binary Value\u201d dialog, and there is a path referenced within the \u201c&lt;Command&gt;\u201d section in the extensionless XML file in Figure 3. The fact that this value is stored within two different locations can prove useful in recovering information regarding the task\u2019s purpose in the event the threat actor has taken steps to cover their tracks.<\/p>\n\n\n\n<p>Finally, there are two Windows event logs that record actions related to the creation and operation of Scheduled Tasks \u2013 Event ID 4698 within the Security.evtx log, and the Microsoft-Windows-TaskScheduler\/Operational.evtx log.<\/p>\n\n\n\n<p>Neither of these are audited by default and must be explicitly turned on by an administrator. Microsoft-Windows-TaskScheduler\/Maintenance.evtx will exist by default, but only contains maintenance-related information for the Task Scheduler engine.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Effectively hiding scheduled tasks<\/h2>\n\n\n\n<p>In this scenario, the threat actor created a scheduled task named \u201cWinUpdate\u201d via HackTool:Win64\/Tarrask in order to re-establish any dropped connections to their command and control (C&amp;C) infrastructure. This resulted in the creation of the registry keys and values described in the earlier section, however, the threat actor deleted the SD value within the Tree registry path.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"247\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig4_Deletion-of-the-security-descriptor-SD-value.png\" alt=\"Screen grab of the deletion of a registry value in registry editor\" class=\"wp-image-112023\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig4_Deletion-of-the-security-descriptor-SD-value.png 799w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig4_Deletion-of-the-security-descriptor-SD-value-300x93.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig4_Deletion-of-the-security-descriptor-SD-value-768x237.png 768w\" sizes=\"(max-width: 799px) 100vw, 799px\" \/><figcaption class=\"wp-element-caption\">Figure 4. Deletion of the security descriptor (SD) value<\/figcaption><\/figure>\n\n\n\n<p>In this context, SD refers to the Security Descriptor, which determines the users allowed to run the task. Interestingly, removal of this value results in the task \u201cdisappearing\u201d from \u201cschtasks \/query\u201d and Task Scheduler. The task is effectively hidden unless an examiner manually inspects the aforementioned registry paths.<\/p>\n\n\n\n<p>Issuing a \u201creg delete\u201d command to delete the SD value will result in an \u201cAccess Denied\u201d error even when run from an elevated command prompt. Deletion must occur within the context of the SYSTEM user. It is for this reason that the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process. Upon execution of the token theft, the malware could operate with the same privileges as LSASS, making the deletion possible.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"139\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig5_Successful-deletion-of-SD-in-Command-Prompt.png\" alt=\"Screengrab of a deleted SD in command prompt\" class=\"wp-image-112026\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig5_Successful-deletion-of-SD-in-Command-Prompt.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig5_Successful-deletion-of-SD-in-Command-Prompt-300x52.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/Fig5_Successful-deletion-of-SD-in-Command-Prompt-768x133.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">Figure 5. Successful deletion of SD in Command Prompt<\/figcaption><\/figure>\n\n\n\n<p>It is also important to note that the threat actor could have chosen to completely remove the two registry keys within Tree and Tasks, and the XML file created within <em>C:\\Windows\\System32\\Tasks<\/em>. This would effectively remove the on-disk artifacts associated with the scheduled task, but the task would continue to run according to the defined triggers until the system rebooted, or until the associated svchost.exe process responsible for executing the task was terminated.<\/p>\n\n\n\n<p>It\u2019s possible the threat actor wanted to ensure persistence across reboots and therefore chose not to perform those steps, instead deleting only the SD value; however, we also speculate that the threat actor was unaware that the task would continue to run even after these components were removed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations and cyber resilience guidance<\/h2>\n\n\n\n<p>Job or task schedulers are services that have been present in the Windows operating system for many years. The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.<\/p>\n\n\n\n<p>As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique. We also want to bring attention to the fact that threat actors may utilize this method of evasion to maintain access to high value targets in a manner that will likely remain undetected. This could be especially problematic for systems that are infrequently rebooted (e.g., critical systems such as domain controllers, database servers, etc.).<\/p>\n\n\n\n<p>The techniques used by the actor and described in this post can be mitigated or detected by adopting the following recommendations and security guidelines<sup>1<\/sup>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enumerate your Windows environment registry hives looking in the <em>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree<\/em> registry hive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis on these tasks as needed.<\/li>\n\n\n\n<li>Modify your audit policy to identify Scheduled Tasks actions by enabling logging \u201cTaskOperational\u201d within Microsoft-Windows-TaskScheduler\/Operational. Apply the <a href=\"https:\/\/docs.microsoft.com\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/audit-policy-recommendations\">recommended Microsoft audit policy settings<\/a> suitable to your environment.<\/li>\n\n\n\n<li>Enable and centralize the following Task Scheduler logs. Even if the tasks are \u2018hidden\u2019, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism\n<ul class=\"wp-block-list\">\n<li>Event ID 4698 within the Security.evtx log<\/li>\n\n\n\n<li>Microsoft-Windows-TaskScheduler\/Operational.evtx log<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&amp;C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical <a href=\"https:\/\/docs.microsoft.com\/security\/compass\/privileged-access-access-model?msclkid=cd775d3ba56111eca958db4059cdf03d\">Tier 0 and Tier 1 assets<\/a> is in place.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of compromise (IOCs)<\/h2>\n\n\n\n<p>The following list provides IOCs observed during our investigation. We encourage customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>SHA256<\/strong><\/td><td><strong>File Name<\/strong><\/td><td><strong>Details<\/strong><\/td><\/tr><tr><td>54660bd327c9b9d60a5b45cc59477c75b4a8e2266d988da8ed9956bcc95e6795<\/td><td>winupdate.exe, date.exe, win.exe<\/td><td>Tarrask<\/td><\/tr><tr><td>a3baacffb7c74dc43bd4624a6abcd1c311e70a46b40dcc695b180556a9aa3bb2<\/td><td>windowsvc.exe, winsrv.exe, WinSvc.exe, ScriptRun.exe, Unique.exe, ngcsvc.exe, ligolo_windows_amd64.exe, proxy.zip, wshqos.exe, cert.exe, ldaputility.exe<\/td><td>Ligolo<\/td><\/tr><tr><td>7e0f350864fb919917914b380da8d9b218139f61ab5e9b28b41ab94c2477b16d<\/td><td>CertCert.jsp, Cert0365.jsp<\/td><td>Godzilla web shell<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Microsoft 365 Defender Detections<\/h2>\n\n\n\n<p>How customers can identify this in Microsoft 365 Defender:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Microsoft Defender Antivirus<\/h3>\n\n\n\n<p>Microsoft Defender for Endpoint on detects implants and components as the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HackTool:Win64\/Tarrask!MSR<\/li>\n\n\n\n<li>HackTool:Win64\/Ligolo!MSR<\/li>\n<\/ul>\n\n\n\n<p>Microsoft Defender for Endpoint detects malicious behavior observed as the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Behavior:Win32\/ScheduledTaskHide.A<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Microsoft Sentinel Detections<\/h2>\n\n\n\n<p>Microsoft Sentinel customers can use the following detection queries to look for this activity:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/MultipleDataSources\/TarraskHashIoC.yaml\">Tarrask malware hash IOC<\/a>: This query identifies a hash match related to Tarrask malware across various data sources.<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/SecurityEvent\/ScheduleTaskHide.yaml\">Scheduled Task Hide<\/a>: This query uses Windows Security Events to detect attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task \u201cdisappearing\u201d from \u201cschtasks \/query\u201d and Task Scheduler.<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/SecurityAlert\/AVTarrask.yaml\">Microsoft Defender AV Hits<\/a>: This query looks for Microsoft Defender AV detections related to Tarrask malware using SecurityAlerts table. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, IP, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for the alerts.<\/li>\n<\/ul>\n\n\n\n<p class=\"has-small-font-size\"><sup>1 <\/sup>The technical information contained in this article is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any action based upon such information, we encourage you to consult with the appropriate professionals. We do not provide any kind of guarantee of a certain outcome or result based on the information provided. Therefore, the use or reliance of any information contained in this article is solely at your own risk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates \u201chidden\u201d scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, and how the malware&#8217;s evasion techniques are used to maintain and ensure persistence on systems.<\/p>\n","protected":false},"author":150,"featured_media":112038,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3674,3687],"products":[],"threat-intelligence":[3738],"tags":[3830,3908,3926,3928],"coauthors":[2064,3380],"class_list":["post-112008","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-incident-response","topic-threat-intelligence","threat-intelligence-threat-actors","tag-silk-typhoon-hafnium","tag-state-sponsored-threat-actor","tag-token-theft","tag-typhoon"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates \u201chidden\u201d scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, and how the malware&#039;s evasion techniques are used to maintain and ensure persistence on systems.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-12T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-14T20:17:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Incident Response, Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Incident Response, Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"Tarrask malware uses scheduled tasks for defense evasion\",\"datePublished\":\"2022-04-12T16:00:00+00:00\",\"dateModified\":\"2023-09-14T20:17:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/\"},\"wordCount\":1865,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg\",\"keywords\":[\"Silk Typhoon (HAFNIUM)\",\"State-sponsored threat actor\",\"Token theft\",\"Typhoon\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/\",\"name\":\"Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg\",\"datePublished\":\"2022-04-12T16:00:00+00:00\",\"dateModified\":\"2023-09-14T20:17:58+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg\",\"width\":1200,\"height\":600,\"caption\":\"Security practitioner in front of two computer screens, working on their laptop to investigate threats.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tarrask malware uses scheduled tasks for defense evasion\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/","og_locale":"en_US","og_type":"article","og_title":"Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog","og_description":"Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates \u201chidden\u201d scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, and how the malware's evasion techniques are used to maintain and ensure persistence on systems.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-04-12T16:00:00+00:00","article_modified_time":"2023-09-14T20:17:58+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg","type":"image\/jpeg"}],"author":"Microsoft Incident Response, Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Incident Response, Microsoft Threat Intelligence","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"Tarrask malware uses scheduled tasks for defense evasion","datePublished":"2022-04-12T16:00:00+00:00","dateModified":"2023-09-14T20:17:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/"},"wordCount":1865,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg","keywords":["Silk Typhoon (HAFNIUM)","State-sponsored threat actor","Token theft","Typhoon"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/","name":"Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg","datePublished":"2022-04-12T16:00:00+00:00","dateModified":"2023-09-14T20:17:58+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/04\/tarrask-malware-featured-image.jpg","width":1200,"height":600,"caption":"Security practitioner in front of two computer screens, working on their laptop to investigate threats."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/12\/tarrask-malware-uses-scheduled-tasks-for-defense-evasion\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Tarrask malware uses scheduled tasks for defense evasion"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/112008"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=112008"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/112008\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/112038"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=112008"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=112008"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=112008"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=112008"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=112008"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=112008"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=112008"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}