File: <SYSTEMROOT>\System32\config\SOFTWARE

Registry keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\<TASK_GUID>
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\<TASK_NAME>

Overview

Scheduled tasks are used to automatically perform a task on the system whenever the criteria associated to the scheduled task occurs. The scheduled tasks can either be run at a defined time, on repeat at set intervals, or when a specific event occurs, such as the system boot.

The following registry keys are created upon the creation of a new scheduled task:

  • Schedule\Taskcache\Tasks\<TASK_GUID>.
  • Schedule\Taskcache\Tree\<TASK_NAME>.

A scheduled task can be created through direct manipulation of the registry only, as implemented in GhostTask for instance. Creating a scheduled task this way will not generate task creation ETW events. However, the task will not be functional until the Schedule service is restarted or task configuration modified, to a reload by the Schedule service. Modifying the task would generate associated ETW events (channel Microsoft-Windows-TaskScheduler/Operational, event 140 or Security, non default event 4702).

Additionally, a scheduled task can continue to run even if its associated elements in the registry and / or on disk (XML files) are deleted. The scheduled task will be fully hidden but will persist until the system is rebooted or the svchost.exe process associated with that task is terminated. The ETW events generated by the task execution will however still be generated.

Information of interest

Each scheduled task configuration is defined in a dedicated subkey under Schedule\Taskcache\Tasks, identified by the task GUID (i.e. Schedule\Taskcache\Tasks\<TASK_GUID>).

For each tasks, the following notable information is available under the task GUID root key Schedule\Taskcache\Tasks\<TASK_GUID>:

  • The task path.

  • Some lifecycle timestamps of the task: created on, last start, and last stop in the DynamicInfo value (in binary format).

  • The task trigger(s) (Triggers value) and action(s) (Actions value) in binary, non human readable format. A single scheduled task can be associated with one or multiple trigger(s) and one or multiple action(s). A single task can thus execute multiple distinct executables.

  • The task security descriptor (in SDDL notation), in the SecurityDescriptor value.

The mapping between a task name and its GUID can be done using the subkeys of the Schedule\Taskcache\Tree keys. Indeed, each task is referenced by its name as a subkey of the Schedule\Taskcache\Tree key (i.e. Schedule\Taskcache\Tree\<TASK_NAME>), with the GUID of the task stored in the Id value.

Additionally, the Schedule\Taskcache\Tree\<TASK_NAME> hold the Security Descriptor of the scheduled task (in the SD value). Removing this value will hide the scheduled task, from utilities such as schtasks or the Task Scheduler, while leaving it functional. This was implemented in the Tarrask malware, as discovered by Micosoft.

References

Tags: windows_registry windows_local_persistence windows_lateral_movement windows_lateral_movement_dst

View on GitHub