Cybersecurity researchers detail four different vulnerabilities in the core components of Windows task scheduling services. This could be exploited by local attackers to achieve privilege escalation, erasing logs and concealing evidence of malicious activity.
This issue is revealed in a binary named “schtasks.exe”. This allows administrators to create, delete, query, modify, run, and terminate tasks that are scheduled on local or remote computers.
“a [User Account Control] A bypass vulnerability was found in Microsoft Windows, allowing attackers to bypass the User Account Control prompt and allow high-privilege (System) commands to be run without user approval.
“By exploiting this weakness, attackers can increase privileges and execute malicious payloads with administrator rights, leading to unauthorized access, data theft, or further compromise on the system.”
The cybersecurity company said it happens when an attacker creates a scheduled task using batch logon (i.e. password) in contrast to an interactive token.
However, for this attack to work, it depends on threat actors who obtain passwords through other means, such as authentication to SMB servers and cracking the NTLMV2 hash after exploiting flaws such as CVE-2023-21726.
The ultimate result of this issue is that conservative users can leverage the schtasks.exe binary to obtain maximum allowed privileges using known passwords for members of the group, such as administrators, backup operators, and performance log users.
Registering scheduled tasks using the batch logon authentication method using an XML file can also pave the way for two defense avoidance techniques that allow you to overwrite the task event log and effectively clear the audit trail of previous activities.
Specifically, this involves registering the task with the author of the name of the name, for example, if the character A is repeated 3,500 times in an XML file, overwriting the entire description in the XML task log. This behavior can be further extended to override the entire “c:\windows\system32\winevit\logs\security.evtx” database.
“The Task Scheduler is a very interesting component. It creates tasks started by the system running the system, juggles between privileges, and can be accessed through process integrity and user spoofing,” Enkaoua said.
“UAC bypass is not the only vulnerability reported in the first place. That’s more than that. Essentially, it’s a way to impersonate a password from the CLI to the user and use the /ru and /rp flags to obtain the maximum allowed privileges in the task execution session.”
Source link
