HAFNIUM "hidden" Scheduled Tasks

Microsoft Detection and Response Team (DART) & Microsoft Threat Intelligence Center (MSTIC) share research from tracking threat group HAFNIUM (aka Operation Exchange Marauder) from August 2021 to February 2022 expanding industry targets to telecommunications, internet service providers and data services. The group has presented a new tactic to abuse scheduled tasks to achieve persistence and evade defenses. Following the creation of scheduled tasks, the threat actors would delete the Security Descriptor (SD) value in the registry, "In this context, SD refers to the Security Descriptor, which determines the users allowed to run the task. Interestingly, the removal of this value results in the task 'disappearing' from 'schtasks /query' and Task Scheduler. The task is effectively hidden..." To delete the value, SYSTEM level privileges are required, and it was identified the attackers obtained these through token theft of their Tarrask malware. Forensic analysts can recover information about the scheduled task as only the SD value was deleted, other registry values (such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}) and an associated scheduled task XML file created within C:\Windows\System32\Tasks holds details about the scheduled task.