Cyber Security News

Windows Task Scheduler Vulnerabilities Allow Attackers Gain Admin Account Control

New vulnerabilities in Windows Task Scheduler’s schtasks.exe let attackers bypass UAC, alter metadata, modify event logs, and evade detection.

These actions map to MITRE ATT&CK tactics: Persistence, Privilege Escalation, Execution, Lateral Movement, and Defense Evasion.

Abuse of schtasks.exe enables stealthy task creation and manipulation without alerting defenders, making it a reliable tool for maintaining access and avoiding logs.

UAC Bypass via Credential-Based Exploitation

The most critical vulnerability is a UAC bypass that allows attackers with local administrator credentials to execute commands with SYSTEM privileges without triggering a UAC prompt, even at the highest “Always Notify” setting.

By creating a scheduled task using Batch Logon authentication (via /ru and /rp flags) instead of an Interactive Token, attackers can exploit the Task Scheduler service’s impersonation mechanism.

The service, running as SYSTEM, grants the task the maximum allowed privileges, elevating it from any integrity level to SYSTEM.

This bypass requires knowledge of an administrator’s password, which attackers can obtain through methods like capturing NTLMv2 hashes via an SMB server and cracking them offline with tools like Hashcat.

Alternatively, vulnerabilities like CVE-2023-21726, which stored cleartext credentials in the Windows registry, could provide the necessary credentials.

Once obtained, attackers can create a temporary task to elevate privileges, then spawn a SYSTEM-level task, bypassing UAC entirely.

Defense Evasion: Metadata and Event Log Poisoning

According to the Cymulate report, two novel defense evasion techniques further amplify the threat. The first, Scheduled Task Metadata Poisoning, exploits the Task Scheduler’s handling of XML-based task registration.

When a task is created with Batch Logon authentication, the Author tag in the XML can be arbitrarily modified to impersonate trusted entities, such as “Administrator” or “TrustedInstaller.”

This misleads security tools and administrators inspecting task legitimacy, as the metadata is stored in the Windows registry (HKLM) and can be manipulated locally or remotely via RPC using tools like Impacket’s atexec.

The second technique, Task Event Log Poisoning and Overflow, targets the Windows Event Log (Event ID 4698) used to record task creation.

The Author tag has an uncontrolled buffer, allowing attackers to overwrite the entire TaskContent field, which includes the task’s XML descriptor, with up to 3,500 bytes of arbitrary data.

This hides critical details, such as the payload, from forensic analysis. By creating a task with an oversized Author tag, attackers can erase evidence of malicious activity.

Building on this, Security Logs Saturation exploits the Event Log’s 20MB default size limit.

By repeatedly registering tasks (approximately 2,280 iterations, each consuming 8KB), attackers can overflow the Security.evtx file in just over a minute, erasing all prior logs without triggering a log-clear event (Event ID 1102).

This effectively blinds security monitoring tools, achieving a CWE-117 (Improper Output Neutralization) and CWE-400 (Uncontrolled Resource Consumption) exploit chain.

Exploitation Techniques

These vulnerabilities enhance several MITRE ATT&CK tactics. For Privilege Escalation, the UAC bypass and Batch Logon impersonation allow low-privileged users to impersonate members of groups like Administrators, Backup Operators, or Performance Log Users, gaining elevated privileges.

For example, a Backup Operator can back up sensitive registry hives (SAM, SECURITY, SYSTEM) using a scheduled task, enabling domain compromise via DCSync attacks.

For Lateral Movement, attackers can leverage Batch Logon rights to pivot across Active Directory environments. The Defense Evasion techniques ensure malicious tasks go unnoticed by poisoning metadata and wiping logs, complicating detection and response.

Microsoft’s response to these findings, as reported to MSRC, downplayed the metadata poisoning as a non-security issue, citing the Author tag’s role as informational rather than security-critical.

However, the reliance of security products on this metadata underscores its risks.

Organizations should apply strict access controls, disable NTLM where possible, and monitor Task Scheduler activity for anomalies. Transitioning to Kerberos authentication and enforcing least-privilege principles can mitigate risks.

The Task Scheduler’s accessibility and SYSTEM-level execution make it a prime target for attackers. These vulnerabilities highlight the need for robust patch management and advanced monitoring to counter sophisticated evasion tactics.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago