Listen to this Post

Introduction:
Scheduled tasks in Windows are a common persistence mechanism for attackers, often manipulated to evade detection. Michael H., a Threat Researcher and Atomic Red Team maintainer, has developed a PowerShell script to simulate and detect malicious scheduled task techniques. This guide explores hidden task exploitation, detection methods, and hardening strategies.
Learning Objectives:
- Understand how attackers manipulate scheduled tasks for stealth.
- Learn to detect hidden or malicious tasks using PowerShell and Sysmon.
- Apply defensive techniques to secure task scheduler logs and permissions.
- Detecting Fake or Removed SD (Security Descriptor) Values
Attackers often strip or spoof security descriptors to hide tasks.
PowerShell Command:
Get-ScheduledTask | Where-Object { $_.Principal.SecurityDescriptor -eq $null } | Select-Object TaskName, State
Step-by-Step Guide:
- Run the command in an elevated PowerShell session.
- It lists tasks with missing SD values, which may indicate tampering.
3. Investigate any suspicious entries using `Get-ScheduledTaskInfo`.
2. Hunting Deny-Access SDDL Abuse
Malicious tasks may use SDDL (Security Descriptor Definition Language) to block admin access.
PowerShell Command:
Get-ScheduledTask | ForEach-Object {
if ($<em>.Principal.SecurityDescriptor -match "Deny") {
Write-Output "Suspicious task: $($</em>.TaskName)"
}
}
Step-by-Step Guide:
- Execute the script to find tasks with “Deny” ACEs (Access Control Entries).
2. Cross-check with legitimate tasks—unauthorized denies suggest evasion.
3. Identifying Tasks with No Creation Logs
Legitimate tasks generate Event ID 106 in Windows logs. Missing logs may indicate manual registry manipulation.
PowerCheck via Command Line:
Get-WinEvent -LogName "Microsoft-Windows-TaskScheduler/Operational" -MaxEvents 100 | Where-Object { $_.Id -eq 106 }
Step-by-Step Guide:
- Run the command to list recent task creation events.
2. Compare with `Get-ScheduledTask`—missing logs warrant investigation.
4. Simulating Clipboard & Registry-Based Task Manipulation
Attackers may inject tasks via `reg add` or clipboard hijacking.
Atomic Test (Simulation):
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{TASK_GUID}" /v "SD" /t REG_BINARY /d "01 00..." /f
Step-by-Step Guide:
- This modifies a task’s SD value directly in the registry.
- Monitor with Sysmon (Event ID 12/13) for registry changes.
5. Sysmon Rule Testing for Task Tampering
Refine detection with Sysmon configurations.
Example Sysmon Rule:
<RuleGroup name="Scheduled Task Tampering" groupRelation="or"> <FileCreate onmatch="include"> <TargetFilename condition="contains">\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache</TargetFilename> </FileCreate> </RuleGroup>
Step-by-Step Guide:
- Add this to your Sysmon config (
sysmon -c config.xml).
2. Triggers on unauthorized task cache modifications.
6. Mitigation: Hardening Scheduled Task Permissions
Restrict task creation to authorized users via GPO:
Group Policy Command:
secedit /export /cfg secpolicy.inf Edit secpolicy.inf to restrict "SeCreateSymbolicLinkPrivilege" secedit /configure /db secedit.sdb /cfg secpolicy.inf
Step-by-Step Guide:
1. Export current security policy.
2. Limit task creation rights to admins only.
What Undercode Say:
- Key Takeaway 1: Attackers increasingly abuse scheduled tasks due to weak default logging.
- Key Takeaway 2: Proactive hunting with PowerShell and Sysmon reduces dwell time.
Analysis:
Traditional AV often misses scheduled task tampering, making manual checks critical. Enterprises should adopt Michael H.’s script for atomic testing and pair it with Sysmon for real-time alerts. The rise of LOLBins (Living-off-the-Land binaries) in task abuse demands deeper log analysis and least-privilege enforcement.
Prediction:
As EDR solutions improve, attackers will shift to more obscure task manipulation techniques, such as COM-based task creation or cloud-initiated tasks. Defenders must expand monitoring beyond traditional logs to include registry, WMI, and PowerShell transcriptions.
Grab Michael H.’s script here and start testing today! 🔍🛡️
IT/Security Reporter URL:
Reported By: Michaelahaag Diving – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


