New vulnerabilities in Windows Task Scheduler’s schtasks.exe let attackers bypass UAC, alter metadata, modify event logs, and evade detection.
These actions map to MITRE ATT&CK tactics: Persistence, Privilege Escalation, Execution, Lateral Movement, and Defense Evasion.
Abuse of schtasks.exe enables stealthy task creation and manipulation without alerting defenders, making it a reliable tool for maintaining access and avoiding logs.
UAC Bypass via Credential-Based Exploitation
The most critical vulnerability is a UAC bypass that allows attackers with local administrator credentials to execute commands with SYSTEM privileges without triggering a UAC prompt, even at the highest “Always Notify” setting.
By creating a scheduled task using Batch Logon authentication (via /ru and /rp flags) instead of an Interactive Token, attackers can exploit the Task Scheduler service’s impersonation mechanism.
The service, running as SYSTEM, grants the task the maximum allowed privileges, elevating it from any integrity level to SYSTEM.
This bypass requires knowledge of an administrator’s password, which attackers can obtain through methods like capturing NTLMv2 hashes via an SMB server and cracking them offline with tools like Hashcat.
Alternatively, vulnerabilities like CVE-2023-21726, which stored cleartext credentials in the Windows registry, could provide the necessary credentials.
Once obtained, attackers can create a temporary task to elevate privileges, then spawn a SYSTEM-level task, bypassing UAC entirely.
Defense Evasion: Metadata and Event Log Poisoning
According to the Cymulate report, two novel defense evasion techniques further amplify the threat. The first, Scheduled Task Metadata Poisoning, exploits the Task Scheduler’s handling of XML-based task registration.
When a task is created with Batch Logon authentication, the Author tag in the XML can be arbitrarily modified to impersonate trusted entities, such as “Administrator” or “TrustedInstaller.”
This misleads security tools and administrators inspecting task legitimacy, as the metadata is stored in the Windows registry (HKLM) and can be manipulated locally or remotely via RPC using tools like Impacket’s atexec.
The second technique, Task Event Log Poisoning and Overflow, targets the Windows Event Log (Event ID 4698) used to record task creation.
The Author tag has an uncontrolled buffer, allowing attackers to overwrite the entire TaskContent field, which includes the task’s XML descriptor, with up to 3,500 bytes of arbitrary data.
This hides critical details, such as the payload, from forensic analysis. By creating a task with an oversized Author tag, attackers can erase evidence of malicious activity.
Building on this, Security Logs Saturation exploits the Event Log’s 20MB default size limit.
By repeatedly registering tasks (approximately 2,280 iterations, each consuming 8KB), attackers can overflow the Security.evtx file in just over a minute, erasing all prior logs without triggering a log-clear event (Event ID 1102).
This effectively blinds security monitoring tools, achieving a CWE-117 (Improper Output Neutralization) and CWE-400 (Uncontrolled Resource Consumption) exploit chain.
Exploitation Techniques
These vulnerabilities enhance several MITRE ATT&CK tactics. For Privilege Escalation, the UAC bypass and Batch Logon impersonation allow low-privileged users to impersonate members of groups like Administrators, Backup Operators, or Performance Log Users, gaining elevated privileges.
For example, a Backup Operator can back up sensitive registry hives (SAM, SECURITY, SYSTEM) using a scheduled task, enabling domain compromise via DCSync attacks.
For Lateral Movement, attackers can leverage Batch Logon rights to pivot across Active Directory environments. The Defense Evasion techniques ensure malicious tasks go unnoticed by poisoning metadata and wiping logs, complicating detection and response.
Microsoft’s response to these findings, as reported to MSRC, downplayed the metadata poisoning as a non-security issue, citing the Author tag’s role as informational rather than security-critical.
However, the reliance of security products on this metadata underscores its risks.
Organizations should apply strict access controls, disable NTLM where possible, and monitor Task Scheduler activity for anomalies. Transitioning to Kerberos authentication and enforcing least-privilege principles can mitigate risks.
The Task Scheduler’s accessibility and SYSTEM-level execution make it a prime target for attackers. These vulnerabilities highlight the need for robust patch management and advanced monitoring to counter sophisticated evasion tactics.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!