Wednesday, May 7, 2025
HomeCyber Security NewsWindows Task Scheduler Vulnerabilities Allow Attackers Gain Admin Account Control

Windows Task Scheduler Vulnerabilities Allow Attackers Gain Admin Account Control

Published on

SIEM as a Service

Follow Us on Google News

New vulnerabilities in Windows Task Scheduler’s schtasks.exe let attackers bypass UAC, alter metadata, modify event logs, and evade detection.

These actions map to MITRE ATT&CK tactics: Persistence, Privilege Escalation, Execution, Lateral Movement, and Defense Evasion.

Abuse of schtasks.exe enables stealthy task creation and manipulation without alerting defenders, making it a reliable tool for maintaining access and avoiding logs.

- Advertisement - Google News

UAC Bypass via Credential-Based Exploitation

The most critical vulnerability is a UAC bypass that allows attackers with local administrator credentials to execute commands with SYSTEM privileges without triggering a UAC prompt, even at the highest “Always Notify” setting.

By creating a scheduled task using Batch Logon authentication (via /ru and /rp flags) instead of an Interactive Token, attackers can exploit the Task Scheduler service’s impersonation mechanism.

The service, running as SYSTEM, grants the task the maximum allowed privileges, elevating it from any integrity level to SYSTEM.

This bypass requires knowledge of an administrator’s password, which attackers can obtain through methods like capturing NTLMv2 hashes via an SMB server and cracking them offline with tools like Hashcat.

Alternatively, vulnerabilities like CVE-2023-21726, which stored cleartext credentials in the Windows registry, could provide the necessary credentials.

Once obtained, attackers can create a temporary task to elevate privileges, then spawn a SYSTEM-level task, bypassing UAC entirely.

Defense Evasion: Metadata and Event Log Poisoning

According to the Cymulate report, two novel defense evasion techniques further amplify the threat. The first, Scheduled Task Metadata Poisoning, exploits the Task Scheduler’s handling of XML-based task registration.

When a task is created with Batch Logon authentication, the Author tag in the XML can be arbitrarily modified to impersonate trusted entities, such as “Administrator” or “TrustedInstaller.”

This misleads security tools and administrators inspecting task legitimacy, as the metadata is stored in the Windows registry (HKLM) and can be manipulated locally or remotely via RPC using tools like Impacket’s atexec.

The second technique, Task Event Log Poisoning and Overflow, targets the Windows Event Log (Event ID 4698) used to record task creation.

The Author tag has an uncontrolled buffer, allowing attackers to overwrite the entire TaskContent field, which includes the task’s XML descriptor, with up to 3,500 bytes of arbitrary data.

This hides critical details, such as the payload, from forensic analysis. By creating a task with an oversized Author tag, attackers can erase evidence of malicious activity.

Building on this, Security Logs Saturation exploits the Event Log’s 20MB default size limit.

By repeatedly registering tasks (approximately 2,280 iterations, each consuming 8KB), attackers can overflow the Security.evtx file in just over a minute, erasing all prior logs without triggering a log-clear event (Event ID 1102).

This effectively blinds security monitoring tools, achieving a CWE-117 (Improper Output Neutralization) and CWE-400 (Uncontrolled Resource Consumption) exploit chain.

Exploitation Techniques

These vulnerabilities enhance several MITRE ATT&CK tactics. For Privilege Escalation, the UAC bypass and Batch Logon impersonation allow low-privileged users to impersonate members of groups like Administrators, Backup Operators, or Performance Log Users, gaining elevated privileges.

For example, a Backup Operator can back up sensitive registry hives (SAM, SECURITY, SYSTEM) using a scheduled task, enabling domain compromise via DCSync attacks.

For Lateral Movement, attackers can leverage Batch Logon rights to pivot across Active Directory environments. The Defense Evasion techniques ensure malicious tasks go unnoticed by poisoning metadata and wiping logs, complicating detection and response.

Microsoft’s response to these findings, as reported to MSRC, downplayed the metadata poisoning as a non-security issue, citing the Author tag’s role as informational rather than security-critical.

However, the reliance of security products on this metadata underscores its risks.

Organizations should apply strict access controls, disable NTLM where possible, and monitor Task Scheduler activity for anomalies. Transitioning to Kerberos authentication and enforcing least-privilege principles can mitigate risks.

The Task Scheduler’s accessibility and SYSTEM-level execution make it a prime target for attackers. These vulnerabilities highlight the need for robust patch management and advanced monitoring to counter sophisticated evasion tactics.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...