{
	"id": "2bfb4aa2-18cf-4b0e-be54-a5616072241e",
	"created_at": "2026-04-06T02:13:02.370859Z",
	"updated_at": "2026-04-10T13:11:19.022636Z",
	"deleted_at": null,
	"sha1_hash": "2197d3ecec9e3525ad99312896a387996084be83",
	"title": "Defending Against Scheduled Task Attacks in Windows Environments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5223557,
	"plain_text": "Defending Against Scheduled Task Attacks in Windows\r\nEnvironments\r\nBy Qualys\r\nPublished: 2022-06-21 · Archived: 2026-04-06 02:09:43 UTC\r\nScheduling tasks is one of the most popular attack techniques used by threat actors to establish persistence on a\r\nvictim’s machine. The Qualys Research Team investigated different ways that attackers could use to conceal\r\nscheduled tasks. In this blog, we describe three new techniques to hide and delete scheduled tasks in a Microsoft\r\nWindows environment.\r\nAdversaries abuse task scheduling functionality in Microsoft Windows environments to facilitate initial or\r\nrecurring execution of malicious code at system startup or on a scheduled basis for persistence. In fact, the MITRE\r\nATT\u0026CK framework lists it as one of the most popular techniques used by threat actors, since the ability to\r\nschedule programs or scripts is a common utility across operating systems.\r\nRecently, security researchers at Microsoft published an article that documented how the Chinese state-sponsored\r\ngroup Hafnium concealed scheduled tasks by deleting the Security Descriptor (SD) value within the Windows\r\nregistry path:\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME.\r\nFollowing the disclosure by Microsoft, the Qualys Research Team wondered if there are other ways of concealing\r\nscheduled tasks and decided to investigate further. The objective of this blog is to communicate our research\r\nfindings.\r\nOur most important finding is that the Index value within the Windows Registry path\r\n(HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME)\r\ncan also be abused to hide and delete any scheduled task.\r\nFirst, let’s briefly describe the technique used by Hafnium and others to hide a scheduled task. Next, we give a\r\ndetailed description of new techniques being used to hide a scheduled task in Microsoft environments.\r\nHow Threat Actors Hide Scheduled Tasks\r\nAccording to Microsoft’s blog, with the creation of every scheduled task, the following two registry subkeys get\r\ncreated: one within the Tree path and the other within the Tasks path.\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 1 of 8\n\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{GUID}\r\nThe first subkey TASK_NAME, created within the Tree path, matches the name of the scheduled task. The values\r\ncreated within it (i.e. Id, Index, and SD) contain metadata for task registration within the system.\r\nThe second subkey {GUID}, created within the Tasks path, matches the Id value in the Tree subkey. The values\r\ncreated within it (i.e. Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate the\r\nexecution of the task.\r\nIn the case of Hafnium, the threat actor created a scheduled task named “WinUpdate” to re-establish any dropped\r\nconnections to their command \u0026 control infrastructure. This resulted in the creation of subkeys within the Tree\r\npath and Tasks path. Subsequently, the threat actor acquired SYSTEM privileges (via token theft) and deleted the\r\nSD value within the Tree subkey. Removal of the SD value resulted in the task “disappearing” from the Task\r\nScheduler app and the output of schtasks /query command, thereby concealing the scheduled task from any\r\ntraditional means of identification.\r\nOur investigation revealed that modifying or deleting the Index value within the Tree subkey also hides scheduled\r\ntasks. Now we’ll review our findings in more detail, but first a quick description of our lab conditions.\r\nThe Qualys Research Team Experimental Setup Environment\r\nOur experiments were conducted on Windows 10 Pro (v10.0.19043), Windows 10 Enterprise (v10.0.19044) and\r\nWindows 2016 server. On every machine, we first performed the following two steps:\r\nA. Configure Object Auditing in the Local Security Policy’s advanced auditing options to get events\r\ncorresponding to scheduled task creation (4698), deletion (4699) and updating (4702) in the Windows\r\nSecurity event log.\r\nB. Create a scheduled task named ImpTask that executes after user login.\r\nschtasks /create /tn ImpTask /tr cmd.exe /sc onlogon /rl highest\r\nOnce the schtasks /create command is executed, the following three subkeys corresponding to the newly created\r\nImpTask are created (refer Figure 1).\r\n1. HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\ImpTask\r\n2. HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{GUID}\r\n3. HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Logon\\{GUID}\r\nThe Index value within ImpTask subkey is set to 0x2 (see Figure 1) as the {GUID} subkey for this task is created\r\nwithin the Logon path (since the task is scheduled to run after user login).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 2 of 8\n\nFigure 1. Three registry keys associated with the scheduled task ImpTask.\r\nNew Methods to Hide a Scheduled Task\r\nWe observed that, when a scheduled task is created, in addition to the Tree and Tasks subkeys, one more subkey\r\ngets created. This third subkey is created depending on whether the task is scheduled to run:\r\nAt startup, as indicated by /sc onstart parameter in schtasks /create command\r\nDuring user logon, as indicated by /sc onlogon parameter in schtasks /create command\r\nAt a time, other than boot up or logon (e.g., /sc daily /st 09:00)\r\nThe third subkey is created within one of the following paths:\r\n1. HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Boot\\{GUID}\r\n2. HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Logon\\{GUID}\r\n3. HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Plain\\{GUID}\r\nThe name of the third subkey {GUID} matches with the Id value found in the Tree subkey. We further observed\r\nthat the Index value within the Tree subkey is also related to this third subkey associated with the scheduled task.\r\nWe found that the Index value is set to either 0x1 or 0x2 or 0x3. Specifically,\r\n1. All tasks registered within the path HKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\ Boot have an Index value of 0x1\r\n2. All tasks registered within the path HKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Logon have an Index value of 0x2\r\n3. All tasks registered within the path HKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\(Plain or Maintenance) have an Index value of 0x3\r\nThe Qualys Research Team wrote a Python script and ran it across different Windows machines to confirm this\r\nbehavior. Because every scheduled task is a part of either Boot or Logon or Plain or Maintenance, so there seems\r\nto be only three possible values for Index: 0x1, 0x2, or 0x3. Our investigation did not find any online\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 3 of 8\n\ndocumentation describing the purpose of the Index value associated with the scheduled task. However, we were\r\nable to manipulate the Index value to obtain the following outcomes.\r\n1. Hide a specific scheduled task: We found that setting the Index value to 0x0 within the Tree subkey hides\r\nthe task from the Task Scheduler app and the output of schtasks /query. However, the task continues to run\r\nas per its scheduled time, even across system restarts. The resulting behavior is exactly the same as what\r\nHafnium threat actors achieved after deleting the SD value. Further, if we try to modify the task after its\r\nIndex value is set to 0x0 using schtasks /change command, the task gets deleted. However, the event id\r\n4699 corresponding to the scheduled task deletion does not get reported to the Windows Security Event\r\nlog.\r\n2. Hide all scheduled tasks: We also found that deletion of the Index value causes the Task Scheduler app\r\nand schtasks /query to fail with an error message “Internal error occurred” that effectively hides all\r\nscheduled tasks. The existing tasks continue to run and new tasks can still be created.\r\nSetting the index to any other value (0x4, 0xffff etc.), does not hide the scheduled task and the task continues to\r\nrun as scheduled.\r\nNow let’s examine the two outcomes when the index value was manipulated.\r\nHide Scheduled Task\r\nIn this first scenario, we create another scheduled task named ModifyIndexTask that executes once with SYSTEM\r\nprivileges – after the creation of ImpTask – and set its Index value to 0x0. The command is as follows:\r\nschtasks /create /tn ModifyIndexTask /tr \"reg.exe add \\\"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVe\r\nFigure 2. The Index value of ImpTask is modified to 0x0.\r\nOnce ModifyIndexTask is executed, it sets the Index value of ImpTask to 0 (Figure 2). As a result, ImpTask\r\ndisappears from both the Task Scheduler app(Figure 3) and the output of schtasks /query command (Figure 4).\r\nHowever, ImpTask continues to run even after the system restarts (Figure 5). Although ImpTask does not appear\r\nin the output of schtasks /query command, Figure 5 shows that it is possible to get the status of the task using\r\nschtasks /query command by specifying the task name using the parameter /tn.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 4 of 8\n\nFigure 3.  ImpTask disappears from the Task Scheduler app once Index value is modified to 0x0.\r\nFigure 4.  ImpTask disappears from output of schtasks /query once Index value is modified to 0x0.\r\nFigure 5. After setting Index value to 0x0, ImpTask continues to run.\r\nThe Qualys Research Team was able to reproduce this issue on every Windows 10 machine that we experimented\r\nwith, which was across a total of five boxes.\r\nAnother interesting observation was that, if we try to change the program name within ImpTask (with Index value\r\n0x0) using schtasks /change /tr command, the task gets deleted as shown in Figure 6. It is executed without\r\nreporting event id 4699: scheduled task deletion, or event id 4702: scheduled task update, in the Windows Security\r\nEvent log. However, event id 4699 is reported if we use schtasks /delete command to delete ImpTask.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 5 of 8\n\nFigure 6. Deletion of ImpTask using schtasks /change /tr leaves no trace in Windows Security log.\r\nHide All Scheduled Tasks\r\nIn this second first scenario, we create another scheduled task that executes with SYSTEM privileges and deletes\r\nthe Index value within the ImpTask subkey. The command is as follows:\r\nschtasks /create /tn ModifyIndexTask /tr “reg.exe delete \\”HKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\ImpTask\\” /v Index /f” /ru “NT AUTHORITY\\SYSTEM” /rl highest\r\n/sc once /st \u003ctime later than creation time of ImpTask\u003e\r\nOnce the Index value within the ImpTask subkey is deleted (Figure 7), all scheduled tasks disappear from the Task\r\nScheduler app (Figure 8) and the output of schtasks /query command (Figure 9), instead we get an error message\r\nsaying, “An internal error occurred”. Even specifying the task name ImpTask within the parameter /tn also doesn’t\r\nwork.\r\nFigure 7. Index value deleted from the ImpTask subkey.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 6 of 8\n\nFigure 8. After Index value deletion, all scheduled tasks disappear from Task scheduler app, and\r\nerror message displayed.\r\nFigure 9. Specifying the task name using schtasks /query /tn command also doesn’t work.\r\nAlthough scheduled tasks are not displayed, they are executed as per their scheduled time. The inability to view\r\nscheduled tasks persists even after the system reboots. Modifying ImpTask using schtasks /change command\r\ncauses the Index value to be generated again, after which the execution of schtasks /query command is successful\r\n(Figure 10).\r\nFigure 10. Modifying ImpTask using schtasks /change command causes Index value to be generated\r\nagain, following which the execution of schtasks /query command is successful.\r\nAfter deleting the Index value, we tried to delete the ImpTask using schtasks /delete. Interestingly, the command\r\nfailed with an error message. When we next tried to change ImpTask using schtasks /change command, the Index\r\nvalue within the ImpTask subkey was restored. All tasks reappeared in the Task Scheduler app and the execution\r\nof schtasks /query was also successful. Note that the Index value is restored only when schtasks /delete precedes\r\nschtasks /change. When we executed schtasks /change without first running schtasks /delete, the Index value was\r\nnot restored, and we continued to get an error message on executing schtasks /query.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 7 of 8\n\nConclusion\r\nAn investigation by Qualys Research Team found that the Index value along with the SD value within the Tree\r\nsubkey of a scheduled task plays an important role and both can be abused by attackers. In this blog, we described\r\nthree new techniques to hide and delete scheduled tasks:\r\n1. Hide a scheduled task from the Task Scheduler app and the output of schtasks /query command by setting\r\nits Index value to 0x0\r\n2. Delete a scheduled task by first setting its Index value to 0x0 and then using schtasks /change /tr command\r\nwhich effectively deletes the task without leaving any trace in the Windows Security Event log\r\n3. Hide all scheduled tasks from the Task Scheduler app and the output of schtasks /query command by\r\ndeleting the Index value of any scheduled task\r\nAny of these new techniques can be used to hide a scheduled task in Microsoft environments. Therefore, it is\r\nimportant to monitor modifications to both Index and SD values of scheduled tasks. These changes could alert on\r\nthe facilitation of malicious code execution either at system startup or on a scheduled basis for persistence.\r\nContributors\r\nMayuresh Dani, Threat Research Manager, Qualys\r\nmdani@qualys.com\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments"
	],
	"report_names": [
		"defending-against-scheduled-task-attacks-in-windows-environments"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441582,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2197d3ecec9e3525ad99312896a387996084be83.pdf",
		"text": "https://archive.orkl.eu/2197d3ecec9e3525ad99312896a387996084be83.txt",
		"img": "https://archive.orkl.eu/2197d3ecec9e3525ad99312896a387996084be83.jpg"
	}
}